Custom Rules
Where Access Control gives you coarse-grained blocks (country, IP), Custom Rules let you express precise policies: "block any visitor with an empty user-agent from ASN 14061 hitting /cart in the last 60 seconds more than 10 times."
Anatomy of a rule
A rule has four parts:
- Name — for your own reference
- Conditions — one or more, combined with AND
- Action —
allow,challenge,block - Priority — lower number wins. Default 100.
Rules are evaluated before the score-based pipeline. If any rule matches, its action is taken and we skip scoring.
Conditions
| Field | Operators | Example value |
|---|---|---|
ip |
equals, in CIDR | 203.0.113.0/24 |
country |
equals, in list | RU, [CN,KP,IR] |
asn |
equals, in list | 14061, [16509,14618] |
asn_org |
contains, regex | DigitalOcean |
user_agent |
contains, regex, empty | ^curl/ |
header.<name> |
exists, equals, regex | header.accept-language regex ^$ |
path |
equals, prefix, regex | /cart, prefix /account |
rate.requests |
gt within window | > 10 within 60s |
score |
gt, lt | > 50 |
Regex is anchored with ^ and $. Use regex101.com to test.
Examples
Block all empty user-agents on checkout-adjacent paths:
| Field | Op | Value |
|---|---|---|
user_agent |
empty | — |
path |
prefix | /checkout |
Action: block. Priority: 50.
Challenge anyone from a known datacenter ASN hitting /cart fast:
| Field | Op | Value |
|---|---|---|
asn |
in list | [16509, 14618, 14061, 8075] |
path |
prefix | /cart |
rate.requests |
gt within | 5 within 30s |
Action: challenge. Priority: 30.
Allow your monitoring service even if it looks suspicious:
| Field | Op | Value |
|---|---|---|
header.x-monitor-key |
equals | <your-shared-secret> |
Action: allow. Priority: 1.
Limits
| Plan | Rules per shop | Rate-window storage |
|---|---|---|
| Scale | 25 rules | 60s sliding window |
| Max | 100 rules | 5min sliding window |
Free/Grow do not have Custom Rules.
Testing a rule
Save your rule with action monitor (no enforcement, just log a match) for 24h. Check Visitor Analytics — filtered by reason = rule:<your-rule-name>. If the matches look right, switch action to block or challenge.
Available on
Scale ($49/mo) and Max ($99/mo).