Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.esperr.com/llms.txt

Use this file to discover all available pages before exploring further.

What is a Request Path?

The request path is the part of the URL after your domain name that identifies which resource or page is being accessed.
MDN Web DocsRead more on URL pathname.

Understanding URL Structure

https://example.com/shop/products/shoes?color=blue#reviews
        └─domain─┘  └────request path────┘
The request path is /shop/products/shoes - everything between the domain and the query parameters.

Common Path Patterns

Application Areas

  • /admin/* - Administrative interfaces
  • /api/* - API endpoints
  • /auth/* - Authentication flows
  • /user/* - User profiles and settings
  • /checkout/* - Purchase flows

Sensitive Endpoints

  • /login - Authentication entry
  • /reset-password - Account recovery
  • /api/internal - Internal APIs
  • /debug - Debug endpoints (should be disabled in production!)
  • /.git - Version control (should never be exposed!)

How Paths Work on the Web

Different types of applications use paths differently:
  • Traditional websites: Each path is a different page (/about, /contact)
  • REST APIs: Paths represent resources (/api/users/123)
  • Single-page apps: May use one path with client routing (/app/*)
  • Static sites: Paths map to actual files (/images/logo.png)

Using Request Path in Policies

Basic Examples

Protect admin area: 
Field Type: Request Path
Operator: starts with
Value: /admin
Action: Challenge
Monitor API usage: 
Field Type: Request Path
Operator: starts with
Value: /api/v2
Action: Monitor

Advanced Patterns

Detect path traversal attempts: 
Field Type: Request Path
Operator: contains
Value: ../
Action: Block
Rate limit specific endpoints: 
Field Type: Request Path
Operator: equals
Value: /api/search
Window: 1 minute
Threshold: 10
Action: Challenge
Pro TipUse “starts with” for broad protection, “equals” for specific endpoints, and “contains” for pattern detection.

Path Matching Operators

OperatorUse CaseExample
equalsExact path match/login
starts withPath prefix/api/
ends withFile extensions.php
containsPattern anywhereadmin
matches regexComplex patterns^/user/[0-9]+$

Best Practices

DO:

  • Use specific paths for sensitive areas - Be precise with admin/internal paths
  • Consider URL patterns - Your app might use /user/123 style paths
  • Monitor before blocking - Understand traffic patterns first
  • Account for variations - /admin and /admin/ might both exist
  • Think about path hierarchy - Protecting /api also protects /api/users

DON’T:

  • Use overly broad patterns - Blocking all paths with “user” might break legitimate features
  • Forget about case sensitivity - /Admin might differ from /admin
  • Ignore trailing slashes - They can make a difference
  • Block common paths carelessly - / or /api might be too broad

Common Attack Patterns

Attack TypePath PatternWhat to Look For
Path Traversal../../../etc/passwdMultiple ../ sequences
Hidden Files/.git, /.envPaths starting with .
Admin Discovery/admin, /managerCommon admin paths
API Enumeration/api/v1/users/1Sequential ID patterns
Backup Files/backup.sqlCommon backup extensions

Dynamic Paths and Wildcards

Many applications use dynamic path segments: 
# Match user profiles with numeric IDs
/user/[0-9]+

# Match any file in uploads
/uploads/*

# Match specific file types
*.pdf
Working with Dynamic SegmentsFor paths like /product/123/reviews, you might want to:
  1. Protect all products: starts with /product
  2. Specific product: starts with /product/123
  3. All reviews: contains /reviews

Combining with Other Fields

Request Path becomes more powerful when combined with: 
# Suspicious: POST to a typically GET endpoint
Field Type: Request Path
Operator: equals
Value: /search
AND
Field Type: Request Method
Operator: equals
Value: POST
Action: Block

Troubleshooting

“My path policy isn’t matching”
  • Check for trailing slashes
  • Verify URL encoding (%20 for spaces)
  • Confirm the exact path in your server logs
  • Remember query parameters are not part of the path
“I’m blocking legitimate users”
  • Your pattern might be too broad
  • Check for unexpected path variations in your app
  • Consider using Challenge instead of Block initially