You must have an active Castle account with a valid API key in order to begin using Castle at the edge. Sign up or retrieve your API key from the Castle Dashboard
Castle provides code samples that allow you to deploy the Castle risk engine into your edge solution.
For more information about why you might want to deploy Castle both at the edge and in-app, see the blog post A Layered Approach to Bot Detection and ATO prevention.
This diagram shows a high-level overview of how Castle works at each layer.
- Blog: A layered approach to bot detection and ATO prevention
- Sample code with Cloudfront
- Sample code with Cloudflare
Step 1. Set up edge listeners
Set up Castle at the edge to listen for requests on endpoints typically targeted by attackers: /register, /login, password reset.
See one of our sample apps in the Relevant Links as a reference.
Step 2. Capture fingerprints
Step 3. Send Castle API requests
Once a valid Castle fingerprint is present in requests at the edge, and the relevant endpoints have listeners set up, send requests to the Castle API every time one of your watched endpoints receives a request.
See one of the sample apps in the Relevant Links for a reference.
Step 4. React to the Castle verdict
When a request arrives at one of the integrated endpoints, the sample code will send the context of the request to Castle, and get a recommended action (and risk score) in return. If the recommended action is “deny”, then you can reject the request at the edge, without the request ever hitting your application. If the recommended action is “allow”, then you can allow the request to proceed to your application for further processing.