API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
WAAP
WAAP
About WAAPBilling
Configure WAAP for a domainWAAP modesManage domains protected with WAAP
Protocol validationWAF and OWASP top threatsIP reputationBehavioral WAFAnti-automation and bot protectionCMS protectionCommon automated servicesAdvanced API protection
Allow and block IP addresses in firewall
Configure API access with reserved tags
Advanced rate limiting rulesAdvanced rule objects and attributesSource field objects
Create and manage custom rules
Reserved tagsPredefined tags
Create custom response pagesManage custom response pages
How does JavaScript injection work?What cookies are used by WAAP?What storage variables does WAAP use?
Enable and troubleshoot bot protectionTroubleshoot blocked usersTroubleshoot 5xx errors
API
Chosen image
Home/WAAP/FAQs/How does JavaScript injection work?

How does WAAP JavaScript injection work?

Gcore WAAP performs various checks to determine whether a valid user is behind each request to your domain, and not automated traffic.

As part of its security checks, WAAP adds a JavaScript challenge (code) to the response. This challenge helps thee system identify if a user is automated or not.

This JavaScript injection mechanism helps WAAP get the following information:

  • Client fingerprint. Information collected from the user's device, which identifies the number and type of various components that were installed on the client.

  • Browser-type signature. A signature that distinctly characterizes a browser type and its version.

  • GUI interactions. Information about the client interaction with the application’s GUI.

This information helps us more accurately detect and block malicious traffic from reaching your domain.

How it works

JavaScript injection is added after the opening <body> tag. The injection has a minimal effect on the page size and almost no effect on page loading time.

Once the code is injected, WAAP's analysis engine get client information as follows:

  • Via cookies. On each session, the injected code generates cookies and fills them with data. These cookies are then sent to WAAP for analysis.

  • Via /sbbi/. Details about the client will be sent to our analysis engine via a specific URL that starts with {domain-address}/sbbi/ . For example, if your domain address is https://www.website.com, the requests will be made to the following URL: https://www.website.com/sbbi/. These requests are not forwarded to the origin backend and are not recorded in logs.

Was this article helpful?

Edit on GitHub