## PATCH /api/v2/cdn/zones/{id} **Update CDN zone settings** Partially update grouped CDN settings by public `cdn_...` zone ID. Send only the groups you want to change. For “challenge visitors outside Sweden”, set `waf.visitorProfileMode` to `challenge` and keep `geoRestriction.additionalCountries` to `SE`. ### Related Endpoints - `GET /api/v2/cdn/zones/{id}`: Get CDN zone details - `GET /api/v2/cdn/zones/{id}/proxy-rules`: List CDN proxy rules - `PATCH /api/v2/domains/{id}/cdn`: Update domain CDN settings ### Headers - `Accept`: application/json - `Authorization`: Bearer YOUR_API_KEY - Required API scopes: `write:cdn`, `write:domains` - `Content-Type`: application/json ### Parameters - `includeRecords` (query, boolean): When true, the updated response includes proxied DNS records; otherwise `records` is `null`. Example: `false` - `Content-Type` (header, string): Send `application/json` when a request body is present. Example: `application/json` - `Accept` (header, string): Request JSON responses from the API. Example: `application/json` - `id` (path, string, required): Public resource ID for `id`. Example: `id_01hxa3b4c5d6e7f8g9h0j1k2m3` ### Request Body - `proxied` (boolean, optional): Turn CDN proxying on or off for this zone. Example: `true` - `security` (object, optional) - `security.level` (string, optional) Example: `high` Allowed values: off, low, medium, high - `security.sslMode` (string, optional) Example: `full` Allowed values: off, flexible, full, strict - `security.alwaysUseHttps` (boolean, optional) Example: `true` - `security.minTlsVersion` (string, optional) Example: `1.2` Allowed values: 1.0, 1.1, 1.2, 1.3 - `security.botProtection` (boolean, optional) Example: `true` - `security.blockBadCrawlers` (boolean, optional) Example: `true` - `security.blockBadBots` (boolean, optional) Example: `true` - `security.wpLoginProtection` (boolean, optional) Example: `true` - `security.wpAdminChallenge` (boolean, optional) Example: `true` - `performance` (object, optional) - `performance.earlyHints` (boolean, optional) Example: `true` - `performance.alwaysOnline` (boolean, optional) Example: `true` - `cache` (object, optional) - `cache.purgeCache` (boolean, optional) Example: `true` - `waf` (object, optional) - `waf.skipEnabled` (boolean, optional) Example: `false` - `waf.challengeGeoEnabled` (boolean, optional) Example: `true` - `waf.visitorProfileMode` (string, optional) Example: `challenge` Allowed values: off, challenge, block - `waf.ipAllowlist` (array, optional) Example: `["203.0.113.10"]` - `waf.uaAllowlist` (array, optional) Example: `["HostUp-Monitor"]` - `waf.pathAllowlist` (array, optional) Example: `["/health"]` - `geoRestriction` (object, optional) - `geoRestriction.mode` (string, optional) Example: `whitelist` Allowed values: off, whitelist - `geoRestriction.additionalCountries` (array, optional): Uppercase ISO country codes to allow in addition to any system-required countries. Example: `["SE"]` ### Request Examples #### Challenge visitors outside Sweden ```bash curl -X PATCH "https://cloud.hostup.se/api/v2/cdn/zones/id_01hxa3b4c5d6e7f8g9h0j1k2m3" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{ "proxied": true, "waf": { "visitorProfileMode": "challenge" }, "geoRestriction": { "mode": "whitelist", "additionalCountries": [ "SE" ] } }' ``` ```json { "proxied": true, "waf": { "visitorProfileMode": "challenge" }, "geoRestriction": { "mode": "whitelist", "additionalCountries": [ "SE" ] } } ``` #### Harden WordPress traffic ```bash curl -X PATCH "https://cloud.hostup.se/api/v2/cdn/zones/id_01hxa3b4c5d6e7f8g9h0j1k2m3" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{ "security": { "level": "high", "sslMode": "full", "alwaysUseHttps": true, "minTlsVersion": "1.2", "botProtection": true, "blockBadCrawlers": true, "blockBadBots": true, "wpLoginProtection": true, "wpAdminChallenge": true } }' ``` ```json { "security": { "level": "high", "sslMode": "full", "alwaysUseHttps": true, "minTlsVersion": "1.2", "botProtection": true, "blockBadCrawlers": true, "blockBadBots": true, "wpLoginProtection": true, "wpAdminChallenge": true } } ``` #### Disable country profile ```bash curl -X PATCH "https://cloud.hostup.se/api/v2/cdn/zones/id_01hxa3b4c5d6e7f8g9h0j1k2m3" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{ "waf": { "visitorProfileMode": "off" }, "geoRestriction": { "mode": "off" } }' ``` ```json { "waf": { "visitorProfileMode": "off" }, "geoRestriction": { "mode": "off" } } ``` ### Response Schema - `id` (string,null, optional): Public CDN zone ID. `null` when no CDN zone exists yet. Example: `cdn_01hxa3b4c5d6e7f8g9h0j1k2m3` - `domain` (string, optional) Example: `example.com` - `domainId` (string,null, optional): Public domain ID for registrar-owned domains; `null` for DNS-only zones. Example: `dom_01hxa3b4c5d6e7f8g9h0j1k2m3` - `status` (string, optional) Example: `active` Allowed values: active, pending, misconfigured, missing, disabled - `reason` (string,null, optional) Example: `null` - `proxied` (boolean, optional) Example: `true` - `securityLevel` (string, optional) Example: `medium` Allowed values: off, low, medium, high - `ssl` (object, optional) - `ssl.status` (string, required) Example: `active` Allowed values: active, pending, error - `ssl.expiresAt` (string,null, required) Example: `2026-08-01T00:00:00.000Z` - `ruleCount` (integer, optional) Example: `2` - `security` (object, optional) - `security.level` (string, required): Overall CDN security level. Example: `medium` Allowed values: off, low, medium, high - `security.sslMode` (string, required): TLS mode used between visitors, CDN, and origin. Example: `full` Allowed values: off, flexible, full, strict - `security.alwaysUseHttps` (boolean, required) Example: `true` - `security.minTlsVersion` (string, required) Example: `1.2` Allowed values: 1.0, 1.1, 1.2, 1.3 - `security.botProtection` (boolean, required) Example: `true` - `security.blockBadCrawlers` (boolean, required) Example: `true` - `security.blockBadBots` (boolean, required) Example: `true` - `security.wpLoginProtection` (boolean, required): Protect WordPress login endpoints. Example: `true` - `security.wpAdminChallenge` (boolean, required): Challenge requests to WordPress administration paths. Example: `true` - `waf` (object, optional) - `waf.skipEnabled` (boolean, required): Whether custom WAF skip rules are enabled. Example: `false` - `waf.challengeGeoEnabled` (boolean, required): Whether visitor-profile country challenge logic is enabled. Example: `true` - `waf.visitorProfileMode` (string, required): `challenge` asks visitors outside the configured country profile to complete a challenge; `block` blocks them; `off` disables this profile action. Example: `challenge` Allowed values: off, challenge, block - `waf.ipAllowlist` (array, required): IP addresses or CIDR ranges allowed through custom WAF checks. Example: `["203.0.113.10"]` - `waf.uaAllowlist` (array, required): User-agent substrings allowed through custom WAF checks. Example: `["HostUp-Monitor"]` - `waf.pathAllowlist` (array, required): Path prefixes allowed through custom WAF checks. Example: `["/health"]` - `geoRestriction` (object, optional) - `geoRestriction.enabled` (boolean, required) Example: `true` - `geoRestriction.whitelistCountries` (array, required): Effective uppercase country-code allowlist kept for compatibility. Prefer `combinedCountries` for new integrations. Example: `["SE"]` - `geoRestriction.mode` (string, required): `off` disables the allowlist; `whitelist` allows only `combinedCountries`. Example: `whitelist` Allowed values: off, whitelist - `geoRestriction.standardCountries` (array, required): System-required countries that callers cannot remove. Example: `[]` - `geoRestriction.additionalCountries` (array, required): Caller-managed country codes layered on top of `standardCountries`. Example: `["SE"]` - `geoRestriction.combinedCountries` (array, required): Effective allowlist: `standardCountries` plus `additionalCountries`. Example: `["SE"]` - `activity` (object, optional) - `activity.lastChangeDetectedAt` (string,null, required) Example: `2026-04-27T12:00:00.000Z` - `activity.lastCheckedAt` (string,null, required) Example: `2026-04-27T12:00:00.000Z` - `activity.settingsUpdatedAt` (string,null, required) Example: `2026-04-27T12:00:00.000Z` - `actions` (object, optional) - `actions.canEnableProxy` (object, required) - `actions.canEnableProxy.allowed` (boolean, required) Example: `true` - `actions.canEnableProxy.reason` (string,null, required) Example: `null` - `actions.canEnableProxy.code` (string,null, optional): Machine-readable reason code when an action is blocked. Example: `pending_order` - `actions.canIssueCertificate` (object, required) - `actions.canIssueCertificate.allowed` (boolean, required) Example: `true` - `actions.canIssueCertificate.reason` (string,null, required) Example: `null` - `actions.canIssueCertificate.code` (string,null, optional): Machine-readable reason code when an action is blocked. Example: `pending_order` - `actions.canChangeMode` (object, required) - `actions.canChangeMode.allowed` (boolean, required) Example: `true` - `actions.canChangeMode.reason` (string,null, required) Example: `null` - `actions.canChangeMode.code` (string,null, optional): Machine-readable reason code when an action is blocked. Example: `pending_order` - `actions.canActivate` (object, required) - `actions.canActivate.allowed` (boolean, required) Example: `true` - `actions.canActivate.reason` (string,null, required) Example: `null` - `actions.canActivate.code` (string,null, optional): Machine-readable reason code when an action is blocked. Example: `pending_order` - `actions.canDeactivate` (object, required) - `actions.canDeactivate.allowed` (boolean, required) Example: `true` - `actions.canDeactivate.reason` (string,null, required) Example: `null` - `actions.canDeactivate.code` (string,null, optional): Machine-readable reason code when an action is blocked. Example: `pending_order` - `records` (array,null, optional): `null` unless `includeRecords=true`. ### Responses #### 200 - Updated CDN zone detail. ```json { "id": "cdn_01hxa3b4c5d6e7f8g9h0j1k2m3", "domain": "example.com", "domainId": "dom_01hxa3b4c5d6e7f8g9h0j1k2m3", "status": "active", "reason": null, "proxied": true, "securityLevel": "medium", "ssl": { "status": "active", "expiresAt": "2026-08-01T00:00:00.000Z" }, "ruleCount": 2, "security": { "level": "medium", "sslMode": "full", "alwaysUseHttps": true, "minTlsVersion": "1.2", "botProtection": true, "blockBadCrawlers": true, "blockBadBots": true, "wpLoginProtection": true, "wpAdminChallenge": true }, "waf": { "skipEnabled": false, "challengeGeoEnabled": true, "visitorProfileMode": "challenge", "ipAllowlist": [ "203.0.113.10" ], "uaAllowlist": [ "HostUp-Monitor" ], "pathAllowlist": [ "/health" ] }, "geoRestriction": { "enabled": true, "whitelistCountries": [ "SE" ], "mode": "whitelist", "standardCountries": [], "additionalCountries": [ "SE" ], "combinedCountries": [ "SE" ] }, "activity": { "lastChangeDetectedAt": "2026-04-27T12:00:00.000Z", "lastCheckedAt": "2026-04-27T12:00:00.000Z", "settingsUpdatedAt": "2026-04-27T12:00:00.000Z" }, "actions": { "canEnableProxy": { "allowed": true, "reason": null }, "canIssueCertificate": { "allowed": true, "reason": null }, "canChangeMode": { "allowed": true, "reason": null }, "canActivate": { "allowed": false, "reason": "CDN is already active for this domain." }, "canDeactivate": { "allowed": true, "reason": null } }, "records": null } ``` #### 400 - Invalid request. The response body is an RFC 7807 Problem Details document. ```json { "type": "https://developer.hostup.se/errors/invalid_request", "title": "Invalid request", "status": 400, "detail": "The request body failed validation.", "code": "invalid_request", "instance": "/api/v2/resource", "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3", "timestamp": "2026-04-27T12:34:56.000Z", "errors": [ { "pointer": "/items/0/domainName", "detail": "`domainName` is required.", "code": "invalid_request" } ] } ``` #### 401 - Unauthorized. Authentication is required. ```json { "type": "https://developer.hostup.se/errors/unauthorized", "title": "Unauthorized", "status": 401, "detail": "Authentication is required.", "code": "unauthorized", "instance": "/api/v2/resource", "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3", "timestamp": "2026-04-27T12:34:56.000Z" } ``` #### 403 - Forbidden. The caller lacks a required scope or does not own the resource. ```json { "type": "https://developer.hostup.se/errors/forbidden", "title": "Forbidden", "status": 403, "detail": "The caller lacks a required scope or does not own the resource.", "code": "forbidden", "instance": "/api/v2/resource", "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3", "timestamp": "2026-04-27T12:34:56.000Z" } ``` #### 404 - Not found. The resource does not exist or is not owned by the caller. ```json { "type": "https://developer.hostup.se/errors/not_found", "title": "Not found", "status": 404, "detail": "The requested resource could not be found.", "code": "not_found", "instance": "/api/v2/resource", "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3", "timestamp": "2026-04-27T12:34:56.000Z" } ``` #### 429 - Rate limited. Retry after the limit resets. 429 responses include `Retry-After` seconds plus `X-RateLimit-*` headers. ```json { "type": "https://developer.hostup.se/errors/rate_limit_exceeded", "title": "Too many requests", "status": 429, "detail": "Too many requests. Retry after the limit resets.", "code": "rate_limit_exceeded", "instance": "/api/v2/resource", "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3", "timestamp": "2026-04-27T12:34:56.000Z" } ``` #### 500 - Internal error. Retry later or contact support if the issue persists. ```json { "type": "https://developer.hostup.se/errors/internal_error", "title": "Internal server error", "status": 500, "detail": "An unexpected error occurred. Retry later or contact support if the issue persists.", "code": "internal_error", "instance": "/api/v2/resource", "requestId": "req_01hxa3b4c5d6e7f8g9h0j1k2m3", "timestamp": "2026-04-27T12:34:56.000Z" } ```