How to Install the Axur Leakstream Integration
Axur Leakstream is a Firewall integration that monitors internet activity in search of leaked credentials. It helps your e-commerce avoid checker attacks and protect your users’ credentials by checking whether a given username and password combination has been exposed in any known data breach.
When a login request arrives at the edge, the function extracts the username and password from the request body, queries the Axur Leakstream API, and appends custom headers to the request. Your Rules Engine can then use those headers to take any action you need — such as blocking the request, redirecting the user, or triggering a secondary verification flow.
Requirements
To start using this integration, you need to:
- Create an Axur account and subscribe to a Leakstream plan that matches the size of your customer base.
- Obtain an Axur API Token after your account is enabled.
Getting the integration
To install this integration:
- Access Azion Console > Marketplace.
- On the Marketplace homepage, select the Leakstream card.
- On the integration page, click the Install button.
You’ll see a message indicating that your integration was successfully installed.
Configuring the integration
Once you’ve installed the Axur Leakstream integration, complete the steps below to configure it.
Setting up a Firewall
Follow the steps:
- On the upper-left corner, open the Products menu and select Firewall in the Secure section.
- Click the + Firewall button.
- Give an easy-to-remember name to your firewall.
- Enable the Functions switch in the Modules section.
- This action gives access to functions on your firewall.
- Click the Save button.
Done. Now you’ve instantiated the firewall for your function and have access to functions on your firewall.
Setting up the Firewall function
While still on the Firewall page:
- Select the Functions Instances tab.
- Click the + Function Instance button.
- Give an easy-to-remember name to your instance.
- On the dropdown menu, select the Axur Leakstream function.
- In the Arguments box, pass your variables:
{ "api_key": "YourAxurAPIKey", "username_field": "user", "password_field": "password", "password_hash_type": "sha256", "execute_hashing": false, "leakstream_timeout": 60000}Where:
| Variable | Mandatory | Description |
|---|---|---|
api_key | Yes | The API Token from your Axur account. Required unless the AXUR_API_V1_LEAKSTREAM_API_KEY environment variable is set |
username_field | Yes | The name of the request body field that contains the username. Required unless the AXUR_API_V1_LEAKSTREAM_USERNAME_FIELD environment variable is set |
password_field | No | The name of the request body field that contains the password |
password_hash_type | No | The hashing algorithm used for the password. Accepted values: md5, sha1, sha224, sha256, sha384, sha512 |
execute_hashing | No | When set to true, the function automatically hashes the password using SHA-256 before sending it to the Axur API. Recommended when the frontend does not hash the password |
leakstream_timeout | No | Connection timeout (in milliseconds) for requests to the Axur API. Defaults to 60000 (60 seconds) |
- Click the Save button.
Setting up the Rules Engine
The Leakstream integration uses a two-rule pattern in the Rules Engine:
- Rule 1 — triggers the Leakstream function on the target endpoint (for example, a login or account-creation form).
- Rule 2 — triggers a second, custom response function on the same endpoint. This function reads the custom headers set by Leakstream and decides whether to block the request or allow it through.
The Firewall Rules Engine criteria does not support matching on custom request headers. Because of this, the blocking logic must live inside a second function that reads the axur-leakstream-leaked header from the request object and returns the appropriate response.
The table below describes the headers the Leakstream function adds to the request object:
| Header | Value | Description |
|---|---|---|
axur-leakstream-leaked | true | The username and password combination was found in a data breach |
axur-leakstream-username-leaked | true | The username alone was found in a data breach |
axur-leakstream-missing-username | true | The username field was not found in the request body |
axur-leakstream-error | timeout, invalid-content-type, or an HTTP status code | An error occurred while calling the Axur API |
Rule 1 — Run the Leakstream function
Still on the Firewall page:
- Select the Rules Engine tab.
- Click the + Rule Engine button.
- Give an easy-to-remember name to the rule (for example,
Run Leakstream). - Select a criteria to restrict which requests trigger the Leakstream check.
- Example: if
Request Methodis equal toPOSTandRequest URImatches/login. - This avoids running the check on every request and limits it to login or account-creation endpoints.
- Example: if
- Below, select Run Function as the behavior and choose the Leakstream function instance you created earlier.
- Click the Save button.
Rule 2 — Act on the result
Before creating this rule, you need a second function instance that reads the axur-leakstream-leaked header and returns a custom response. For example, the function below returns an HTML warning page when the header is true:
async function handleRequest(request) { const leaked = request.headers.get('axur-leakstream-leaked');
if (leaked === 'true') { const html = `<!DOCTYPE html><html lang="en"><head> <title>Warning!</title></head><body> <h1>Warning!</h1> <p>The combination of username and password provided was found in a data breach. You cannot use it.</p></body></html>`; return new Response(html, { status: 403, headers: { 'content-type': 'text/html;charset=UTF-8' }, }); }
return fetch(request);}
addEventListener('fetch', event => { return event.respondWith(handleRequest(event.request));});After creating and instantiating the response function, add the second rule:
- Click the + Rule Engine button again.
- Give an easy-to-remember name to the rule (for example,
Block leaked credentials). - Set the criteria to match the same endpoint as Rule 1:
- Example: if
Request Methodis equal toPOSTandRequest URImatches/login.
- Example: if
- Select Run Function as the behavior and choose the response function instance.
- Click the Save button.
Associating the Firewall with your domain
On the Console, you must now configure your domain so it is protected by your Firewall.
- On the Products menu, select Domains.
- Click on the domain you want to protect with your Leakstream function.
- In the Settings section, click on the
Firewallselector and choose the Firewall you’ve just created. - Click the Save button.
Done. Now the Axur Leakstream integration is running and protecting your users’ credentials at the edge.