> ## Documentation Index
> Fetch the complete documentation index at: https://docs.esperr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Request Path

> Working with URL paths in Esper policies.

## What is a Request Path?

The request path is the part of the URL after your domain name that identifies which resource or page is being accessed.

<Info>
  **MDN Web Docs**

  Read more on [URL pathname](https://developer.mozilla.org/en-US/docs/Web/API/URL/pathname).
</Info>

## Understanding URL Structure

```
https://example.com/shop/products/shoes?color=blue#reviews
        └─domain─┘  └────request path────┘
```

The request path is `/shop/products/shoes` - everything between the domain and the query parameters.

## Common Path Patterns

### Application Areas

* `/admin/*` - Administrative interfaces
* `/api/*` - API endpoints
* `/auth/*` - Authentication flows
* `/user/*` - User profiles and settings
* `/checkout/*` - Purchase flows

### Sensitive Endpoints

* `/login` - Authentication entry
* `/reset-password` - Account recovery
* `/api/internal` - Internal APIs
* `/debug` - Debug endpoints (should be disabled in production!)
* `/.git` - Version control (should never be exposed!)

## How Paths Work on the Web

Different types of applications use paths differently:

* **Traditional websites**: Each path is a different page (`/about`, `/contact`)
* **REST APIs**: Paths represent resources (`/api/users/123`)
* **Single-page apps**: May use one path with client routing (`/app/*`)
* **Static sites**: Paths map to actual files (`/images/logo.png`)

## Using Request Path in Policies

### Basic Examples

**Protect admin area:**

```yaml theme={null}
Field Type: Request Path
Operator: starts with
Value: /admin
Action: Challenge
```

**Monitor API usage:**

```yaml theme={null}
Field Type: Request Path
Operator: starts with
Value: /api/v2
Action: Monitor
```

### Advanced Patterns

**Detect path traversal attempts:**

```yaml theme={null}
Field Type: Request Path
Operator: contains
Value: ../
Action: Block
```

**Rate limit specific endpoints:**

```yaml theme={null}
Field Type: Request Path
Operator: equals
Value: /api/search
Window: 1 minute
Threshold: 10
Action: Challenge
```

<Info>
  **Pro Tip**

  Use "starts with" for broad protection, "equals" for specific endpoints, and "contains" for pattern detection.
</Info>

## Path Matching Operators

| Operator      | Use Case         | Example          |
| ------------- | ---------------- | ---------------- |
| equals        | Exact path match | `/login`         |
| starts with   | Path prefix      | `/api/`          |
| ends with     | File extensions  | `.php`           |
| contains      | Pattern anywhere | `admin`          |
| matches regex | Complex patterns | `^/user/[0-9]+$` |

## Best Practices

### DO:

* **Use specific paths for sensitive areas** - Be precise with admin/internal paths
* **Consider URL patterns** - Your app might use `/user/123` style paths
* **Monitor before blocking** - Understand traffic patterns first
* **Account for variations** - `/admin` and `/admin/` might both exist
* **Think about path hierarchy** - Protecting `/api` also protects `/api/users`

### DON'T:

* **Use overly broad patterns** - Blocking all paths with "user" might break legitimate features
* **Forget about case sensitivity** - `/Admin` might differ from `/admin`
* **Ignore trailing slashes** - They can make a difference
* **Block common paths carelessly** - `/` or `/api` might be too broad

## Common Attack Patterns

| Attack Type     | Path Pattern          | What to Look For         |
| --------------- | --------------------- | ------------------------ |
| Path Traversal  | `../../../etc/passwd` | Multiple `../` sequences |
| Hidden Files    | `/.git`, `/.env`      | Paths starting with `.`  |
| Admin Discovery | `/admin`, `/manager`  | Common admin paths       |
| API Enumeration | `/api/v1/users/1`     | Sequential ID patterns   |
| Backup Files    | `/backup.sql`         | Common backup extensions |

## Dynamic Paths and Wildcards

Many applications use dynamic path segments:

```yaml theme={null}
# Match user profiles with numeric IDs
/user/[0-9]+

# Match any file in uploads
/uploads/*

# Match specific file types
*.pdf
```

<Tip>
  **Working with Dynamic Segments**

  For paths like `/product/123/reviews`, you might want to:

  1. Protect all products: `starts with /product`
  2. Specific product: `starts with /product/123`
  3. All reviews: `contains /reviews`
</Tip>

## Combining with Other Fields

Request Path becomes more powerful when combined with:

```yaml theme={null}
# Suspicious: POST to a typically GET endpoint
Field Type: Request Path
Operator: equals
Value: /search
AND
Field Type: Request Method
Operator: equals
Value: POST
Action: Block
```

## Troubleshooting

**"My path policy isn't matching"**

* Check for trailing slashes
* Verify URL encoding (%20 for spaces)
* Confirm the exact path in your server logs
* Remember query parameters are not part of the path

**"I'm blocking legitimate users"**

* Your pattern might be too broad
* Check for unexpected path variations in your app
* Consider using Challenge instead of Block initially

## Related Fields

* [Request Method](./request-method) - Combine for precise endpoint control
* [Query Parameters](./query-parameters) - Additional URL information
* [Headers](./headers) - May contain path-related information
* [Referrer](./referrer) - Shows which path users came from
