Implementing Domain Fronting Detection Attack feature on Web Security Service (WSS)
Web Security Service (WSS) with Universal Policy Enforcement (UPE)
Domain Fronting Attack detection is supported on WSS but is not enabled by default. This feature can be applied in WSS by using the Management Center, any customer using UPE (Universal Policy Enforcement) can use the new policy gesture as mentioned in the article here, and as shown here:.
<proxy> DENY http.connect.host=!"$(url.host)"
Please note that there are no spaces except before the deny statement. Blank spaces in incorrect places will cause the policy deployment to fail.