CDN/Backend api
Material may not yet be complete, information may presently be omitted, and certain parts of the content may be subject to radical, rapid alteration. More information pertaining to this may be available on the talk page.
In this page, we describe the headers that are added to requests sent to the backend from our CDN.
x-trusted-request
This header expresses the level of trust of a request from the point of view of identification: do we know who is making this request, and in that case, do we trust them? The values go from A to F, see the table below for an explanation of the meaning.
| x-trusted-request | Meaning |
|---|---|
| A | The request comes from a trusted network, like WMCS or another wikimedia network, and is exempted by most rate-limiting and requestctl filters. |
| B | The request comes from a verified crawlers and bots which we identify by their User-Agent and IP range. These requests have allocated rate-limits in the CDN, and are excluded from any other filtering rule |
| C | The request has a valid logged-in MediaWiki session (correctly signed JWT session token). The request is exempted from most requestctl filters, and rate-limiting is based on the MediaWiki account rather than the IP (via the encrypted JWT subject ID). |
| D | The request is from a bot that identifies itself with a user-agent compliant with our robot policy but are not otherwise authenticated. Requests from these bots are automatically rate-limited based on their contact information, according to our robot policy. |
| E | Generic, unidentified traffic. This includes most of the logged-out human traffic and bots that do not honor our UA policy. This traffic is subject to all requestctl filtering rules, and it also gets a score indicating the probability of being a browser (see X-Is-Browser below). Depending on the score, rate-limiting (which is based on the wmfuniq cookie, or IP as a fallback) will be more lax or steeper. |
| F | Traffic from abusive networks. It should mostly be blocked or heavily rate-limited |
On the backend, this information can help you make decisions about performing expensive operations, or setting different limits on resource consumption.
x-is-browser
This header contains, for requests in class E and F above, a score indicating how likely it is that the request is coming from a browser and not a script. Values above 80 indicate a high likelihood that the request is coming from a browser, and not from a script. Conversely, a value below 20 indicates a high likelihood of the request not coming from a browser.
x-ua-contact
This header is present in requests of classes C through F, as defined above and contains the contact information from the automated clients (bot) that respects our policy. This could either an URL or email address indicated in the User-Agent header by the client. If the client indicates both contact information in the User-Agent header the email is preferred and saved in the X-UA-Contact header sent downstream
x-provenance
This header is a semicolon-separated list of label=value pairs, indicating the origin of a request and some of its properties. You can refer to its dedicated page for full details.