Skip to main content

Anti-automation and bot protection

WAAP uses behavioral WAF to block non-human traffic from accessing your application, including scanners, bots, and other automated tools.

To protect your site from malicious attacks, we use JavaScript injection. This method ensures that we get all necessary information to block automated traffic from reaching your origin server. Meanwhile, all known bots, such as search engines, can still access your app.

Configure Bot Attacks rules

Our WAAP includes pre-defined bot protection rules to protect your site from automated traffic. You can review and configure them in the CDB Technical Web Portal:

1. Navigate to WAAP > Bot Management.

2. In the domain dropdown at the top of the page, select the needed domain.

3. The Bot Attacks tab displays all available bot protection rules.

Info

The Invalid user agent and Unknown user agent policies are set to Protection mode by default. Other policies are set to Disabled. To change a policy mode, click the dropdown near that policy.

Anti-spam

Challenge-identified submission spammers using CAPTCHA and JavaScript validation.

Traffic anomaly

Challenge or block requests when the user or device doesn't maintain cookies or execute JavaScript correctly. If this happens, users are presented with either CAPTCHA or JavaScript validation screen.

Automated clients

Challenge or block requests from automated sessions. Automated clients are usually bots looking to hack, spam, spy, or generally compromise your website. Activating this policy will detect these requests and force human interaction.

You can review a list of known bots and configure their mode within the Known Bots section. Learn more about enabling and troubleshooting bot protection in our dedicated guide.

Headless browsers

Challenge or block requests from users or devices that use automation tools to launch browsers. Headless browsers are sometimes used to perform DDoS attacks on websites, increase advertisement impressions, or automate websites in unintended ways. Activate this policy to protect your site from these attacks.

Anti-scraping

Challenge or block requests when a user or device uses an automation tool with rapid and aggressive scraping practices.

In certain cases, you may want to disable this policy. For example, if you have a travel website with aggregated data and want to allow partners to extract and display information on their own sites.