Update CDN zone settings

Partially update grouped CDN settings by public cdn_... zone ID. Send only the groups you want to change. For “challenge visitors outside Sweden”, set waf.visitorProfileMode to challenge and keep geoRestriction.additionalCountries to SE.

CDN & Edge Other

Authentication

Required API scopes: write:cdnwrite:domains

Use Authorization: Bearer <token> for API keys. Dashboard sessions may also use hostup_session.

Context

Path Parameters

id string required Example: id_01hxa3b4c5d6e7f8g9h0j1k2m3

Public resource ID for `id`.

Query Parameters

includeRecords boolean · Example: false

When true, the updated response includes proxied DNS records; otherwise `records` is `null`.

Headers

Accept Example
Content-Type Example

Body

required
application/json
proxied boolean · Example: true

Turn CDN proxying on or off for this zone.

security object
performance object
cache object
waf object
geoRestriction object

Responses

200 Updated CDN zone detail.
id stringnull · Example: cdn_01hxa3b4c5d6e7f8g9h0j1k2m3

Public CDN zone ID. `null` when no CDN zone exists yet.

domain string · Example: example.com
domainId stringnull · Example: dom_01hxa3b4c5d6e7f8g9h0j1k2m3

Public domain ID for registrar-owned domains; `null` for DNS-only zones.

status string · enum · Example: active
active
pending
misconfigured
missing
disabled
reason stringnull · Example: null
proxied boolean · Example: true
securityLevel string · enum · Example: medium
off
low
medium
high
ssl object
ssl.status string · enum required · Example: active
active
pending
error
ssl.expiresAt stringnull required · Example: 2026-08-01T00:00:00.000Z
ruleCount integer · Example: 2
security object
security.level string · enum required · Example: medium

Overall CDN security level.

off
low
medium
high
security.sslMode string · enum required · Example: full

TLS mode used between visitors, CDN, and origin.

off
flexible
full
strict
security.alwaysUseHttps boolean required · Example: true
security.minTlsVersion string · enum required · Example: 1.2
1.0
1.1
1.2
1.3
security.botProtection boolean required · Example: true
security.blockBadCrawlers boolean required · Example: true
security.blockBadBots boolean required · Example: true
security.wpLoginProtection boolean required · Example: true

Protect WordPress login endpoints.

security.wpAdminChallenge boolean required · Example: true

Challenge requests to WordPress administration paths.

waf object
waf.skipEnabled boolean required · Example: false

Whether custom WAF skip rules are enabled.

waf.challengeGeoEnabled boolean required · Example: true

Whether visitor-profile country challenge logic is enabled.

waf.visitorProfileMode string · enum required · Example: challenge

`challenge` asks visitors outside the configured country profile to complete a challenge; `block` blocks them; `off` disables this profile action.

off
challenge
block
waf.ipAllowlist array<string> required · Example: ["203.0.113.10"]

IP addresses or CIDR ranges allowed through custom WAF checks.

waf.uaAllowlist array<string> required · Example: ["HostUp-Monitor"]

User-agent substrings allowed through custom WAF checks.

waf.pathAllowlist array<string> required · Example: ["/health"]

Path prefixes allowed through custom WAF checks.

geoRestriction object
geoRestriction.enabled boolean required · Example: true
geoRestriction.whitelistCountries array<string> required · Example: ["SE"]

Effective uppercase country-code allowlist kept for compatibility. Prefer `combinedCountries` for new integrations.

geoRestriction.mode string · enum required · Example: whitelist

`off` disables the allowlist; `whitelist` allows only `combinedCountries`.

off
whitelist
geoRestriction.standardCountries array<string> required · Example: []

System-required countries that callers cannot remove.

geoRestriction.additionalCountries array<string> required · Example: ["SE"]

Caller-managed country codes layered on top of `standardCountries`.

geoRestriction.combinedCountries array<string> required · Example: ["SE"]

Effective allowlist: `standardCountries` plus `additionalCountries`.

activity object
activity.lastChangeDetectedAt stringnull required · Example: 2026-04-27T12:00:00.000Z
activity.lastCheckedAt stringnull required · Example: 2026-04-27T12:00:00.000Z
activity.settingsUpdatedAt stringnull required · Example: 2026-04-27T12:00:00.000Z
actions object
actions.canEnableProxy object required
actions.canEnableProxy.allowed boolean required · Example: true
actions.canEnableProxy.reason stringnull required · Example: null
actions.canEnableProxy.code stringnull · Example: pending_order

Machine-readable reason code when an action is blocked.

actions.canIssueCertificate object required
actions.canIssueCertificate.allowed boolean required · Example: true
actions.canIssueCertificate.reason stringnull required · Example: null
actions.canIssueCertificate.code stringnull · Example: pending_order

Machine-readable reason code when an action is blocked.

actions.canChangeMode object required
actions.canChangeMode.allowed boolean required · Example: true
actions.canChangeMode.reason stringnull required · Example: null
actions.canChangeMode.code stringnull · Example: pending_order

Machine-readable reason code when an action is blocked.

actions.canActivate object required
actions.canActivate.allowed boolean required · Example: true
actions.canActivate.reason stringnull required · Example: null
actions.canActivate.code stringnull · Example: pending_order

Machine-readable reason code when an action is blocked.

actions.canDeactivate object required
actions.canDeactivate.allowed boolean required · Example: true
actions.canDeactivate.reason stringnull required · Example: null
actions.canDeactivate.code stringnull · Example: pending_order

Machine-readable reason code when an action is blocked.

records arraynull

`null` unless `includeRecords=true`.

400 Invalid request. The response body is an RFC 7807 Problem Details document.
type string · Example: https://developer.hostup.se/errors/invalid_request
title string · Example: Validation failed
status integer · Example: 400
detail string · Example: The request body failed validation.
code string · Example: invalid_request

Stable machine-readable code. Branch on this field, not on `detail`.

instance string · Example: /api/v2/orders
requestId string · Example: req_01hxa3b4c5d6e7f8g9h0j1k2m3
timestamp string · Example: 2026-04-27T12:34:56.000Z
errors array<object>

Field-level validation errors when `code` is `invalid_request`.

errors[].pointer string required · Example: /items/0/eppCode
errors[].detail string required · Example: `eppCode` is required for this transfer.
errors[].code string required · Example: missing_required
extensions object
401 Unauthorized. Authentication is required.
type string · Example: https://developer.hostup.se/errors/invalid_request
title string · Example: Validation failed
status integer · Example: 400
detail string · Example: The request body failed validation.
code string · Example: invalid_request

Stable machine-readable code. Branch on this field, not on `detail`.

instance string · Example: /api/v2/orders
requestId string · Example: req_01hxa3b4c5d6e7f8g9h0j1k2m3
timestamp string · Example: 2026-04-27T12:34:56.000Z
errors array<object>

Field-level validation errors when `code` is `invalid_request`.

errors[].pointer string required · Example: /items/0/eppCode
errors[].detail string required · Example: `eppCode` is required for this transfer.
errors[].code string required · Example: missing_required
extensions object
403 Forbidden. The caller lacks a required scope or does not own the resource.
type string · Example: https://developer.hostup.se/errors/invalid_request
title string · Example: Validation failed
status integer · Example: 400
detail string · Example: The request body failed validation.
code string · Example: invalid_request

Stable machine-readable code. Branch on this field, not on `detail`.

instance string · Example: /api/v2/orders
requestId string · Example: req_01hxa3b4c5d6e7f8g9h0j1k2m3
timestamp string · Example: 2026-04-27T12:34:56.000Z
errors array<object>

Field-level validation errors when `code` is `invalid_request`.

errors[].pointer string required · Example: /items/0/eppCode
errors[].detail string required · Example: `eppCode` is required for this transfer.
errors[].code string required · Example: missing_required
extensions object
404 Not found. The resource does not exist or is not owned by the caller.
type string · Example: https://developer.hostup.se/errors/invalid_request
title string · Example: Validation failed
status integer · Example: 400
detail string · Example: The request body failed validation.
code string · Example: invalid_request

Stable machine-readable code. Branch on this field, not on `detail`.

instance string · Example: /api/v2/orders
requestId string · Example: req_01hxa3b4c5d6e7f8g9h0j1k2m3
timestamp string · Example: 2026-04-27T12:34:56.000Z
errors array<object>

Field-level validation errors when `code` is `invalid_request`.

errors[].pointer string required · Example: /items/0/eppCode
errors[].detail string required · Example: `eppCode` is required for this transfer.
errors[].code string required · Example: missing_required
extensions object
429 Rate limited. Retry after the limit resets. 429 responses include `Retry-After` seconds plus `X-RateLimit-*` headers.
type string · Example: https://developer.hostup.se/errors/invalid_request
title string · Example: Validation failed
status integer · Example: 400
detail string · Example: The request body failed validation.
code string · Example: invalid_request

Stable machine-readable code. Branch on this field, not on `detail`.

instance string · Example: /api/v2/orders
requestId string · Example: req_01hxa3b4c5d6e7f8g9h0j1k2m3
timestamp string · Example: 2026-04-27T12:34:56.000Z
errors array<object>

Field-level validation errors when `code` is `invalid_request`.

errors[].pointer string required · Example: /items/0/eppCode
errors[].detail string required · Example: `eppCode` is required for this transfer.
errors[].code string required · Example: missing_required
extensions object
500 Internal error. Retry later or contact support if the issue persists.
type string · Example: https://developer.hostup.se/errors/invalid_request
title string · Example: Validation failed
status integer · Example: 400
detail string · Example: The request body failed validation.
code string · Example: invalid_request

Stable machine-readable code. Branch on this field, not on `detail`.

instance string · Example: /api/v2/orders
requestId string · Example: req_01hxa3b4c5d6e7f8g9h0j1k2m3
timestamp string · Example: 2026-04-27T12:34:56.000Z
errors array<object>

Field-level validation errors when `code` is `invalid_request`.

errors[].pointer string required · Example: /items/0/eppCode
errors[].detail string required · Example: `eppCode` is required for this transfer.
errors[].code string required · Example: missing_required
extensions object
PATCH https://cloud.hostup.se/api/v2/cdn/zones/{id}
For AI assistants
View as Markdown
cURL 
curl -X PATCH "https://cloud.hostup.se/api/v2/cdn/zones/id_01hxa3b4c5d6e7f8g9h0j1k2m3" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{
    "proxied": true,
    "waf": {
      "visitorProfileMode": "challenge"
    },
    "geoRestriction": {
      "mode": "whitelist",
      "additionalCountries": [
        "SE"
      ]
    }
  }'
Response 
{
  "id": "cdn_01hxa3b4c5d6e7f8g9h0j1k2m3",
  "domain": "example.com",
  "domainId": "dom_01hxa3b4c5d6e7f8g9h0j1k2m3",
  "status": "active",
  "reason": null,
  "proxied": true,
  "securityLevel": "medium",
  "ssl": {
    "status": "active",
    "expiresAt": "2026-08-01T00:00:00.000Z"
  },
  "ruleCount": 2,
  "security": {
    "level": "medium",
    "sslMode": "full",
    "alwaysUseHttps": true,
    "minTlsVersion": "1.2",
    "botProtection": true,
    "blockBadCrawlers": true,
    "blockBadBots": true,
    "wpLoginProtection": true,
    "wpAdminChallenge": true
  },
  "waf": {
    "skipEnabled": false,
    "challengeGeoEnabled": true,
    "visitorProfileMode": "challenge",
    "ipAllowlist": [
      "203.0.113.10"
    ],
    "uaAllowlist": [
      "HostUp-Monitor"
    ],
    "pathAllowlist": [
      "/health"
    ]
  },
  "geoRestriction": {
    "enabled": true,
    "whitelistCountries": [
      "SE"
    ],
    "mode": "whitelist",
    "standardCountries": [],
    "additionalCountries": [
      "SE"
    ],
    "combinedCountries": [
      "SE"
    ]
  },
  "activity": {
    "lastChangeDetectedAt": "2026-04-27T12:00:00.000Z",
    "lastCheckedAt": "2026-04-27T12:00:00.000Z",
    "settingsUpdatedAt": "2026-04-27T12:00:00.000Z"
  },
  "actions": {
    "canEnableProxy": {
      "allowed": true,
      "reason": null
    },
    "canIssueCertificate": {
      "allowed": true,
      "reason": null
    },
    "canChangeMode": {
      "allowed": true,
      "reason": null
    },
    "canActivate": {
      "allowed": false,
      "reason": "CDN is already active for this domain."
    },
    "canDeactivate": {
      "allowed": true,
      "reason": null
    }
  },
  "records": null
}
Request Body Challenge visitors outside Sweden 
{
  "proxied": true,
  "waf": {
    "visitorProfileMode": "challenge"
  },
  "geoRestriction": {
    "mode": "whitelist",
    "additionalCountries": [
      "SE"
    ]
  }
}