> ## Documentation Index
> Fetch the complete documentation index at: https://gcore.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# How does WAAP JavaScript injection work?

Gcore WAAP performs various checks to determine whether a valid user is behind each request to your domain, and not automated traffic.

As part of its security checks, WAAP adds a JavaScript challenge (code) to the response. This challenge helps the system identify if a user is automated or not.

This JavaScript injection mechanism helps WAAP get the following information:

* **Client fingerprint**. Information collected from the user's device, which identifies the number and type of various components that were installed on the client.

* **Browser-type signature**. A signature that distinctly characterizes a browser type and its version.

* **GUI interactions**. Information about the client interaction with the application's GUI.

This information helps us more accurately detect and block malicious traffic from reaching your domain.

## How it works

JavaScript injection is added after the opening `<body>` tag. The injection has a minimal effect on the page size and almost no effect on page loading time.

Once the code is injected, WAAP's analysis engine get client information as follows:

* **Via cookies**. On each session, the injected code generates cookies and fills them with data. These cookies are then sent to WAAP for analysis.

* **Via /sbbi/**. Details about the client will be sent to our analysis engine via a specific URL that starts with `{domain-address}/sbbi/` . For example, if your domain address is `https://www.website.com`, the requests will be made to the following URL: `https://www.website.com/sbbi/`. These requests are not forwarded to the origin backend and are not recorded in logs.
