API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
WAAP
WAAP
About WAAPBilling
Configure WAAP for a domainWAAP modesManage domains protected with WAAP
Protocol validationWAF and OWASP top threatsIP reputationBehavioral WAFAnti-automation and bot protectionCMS protectionCommon automated servicesAdvanced API protection
Allow and block IP addresses in firewall
Configure API access with reserved tags
Advanced rate limiting rulesAdvanced rule objects and attributesSource field objects
Create and manage custom rules
Reserved tagsPredefined tags
Create custom response pagesManage custom response pages
How does WAAP JavaScript injection work?What cookies are used by WAAP?What storage variables does WAAP use?
Enable and troubleshoot bot protectionTroubleshoot blocked usersTroubleshoot 5xx errors
API
Chosen image
Home/WAAP/WAAP policies/Anti-automation and bot protection

Anti-automation and bot protection

WAAP uses behavioral WAF to block non-human traffic from accessing your application, including scanners, bots, and other automated tools.

To protect your site from malicious attacks, we use JavaScript injection. This method ensures that we get all necessary information to block automated traffic from reaching your origin server. Meanwhile, all known bots, such as search engines, can still access your app.

This policy group is available in the Pro and Enterprise plans.

Configure policy group

Our WAAP includes a pre-defined anti-automation & bot protection policy group to protect your site from automated traffic. You can review the policy group and enable or disable its policies in the Gcore Customer Portal:

1. Navigate to WAAP > Domains.

Domains page in the Customer Portal

2. Find the domain where you want to configure the policy and click the domain name to open it.

3. On the Policies page that opens, click Anti-automation and bot protection to expand the section and adjust the policies.

WAAP policies page with the highlighted Anti-automation and bot protection policy

Only the Traffic anomaly policy is enabled by default. To activate other policies, turn on the toggles near those policies.

Traffic anomaly

Challenge or block requests when the user or device doesn’t maintain cookies or execute JavaScript correctly. If this happens, users are presented with either CAPTCHA or JavaScript validation screen.

Automated clients

Challenge or block requests from automated sessions. Automated clients are usually bots looking to hack, spam, spy, or generally compromise your website. Activating this policy will detect these requests and force human interaction.

You can review a list of known bots and allow or block their activity within the common automated services policy group. Learn more about enabling and troubleshooting bot protection in our dedicated guide.

Headless browsers

Challenge or block requests from users or devices that use automation tools to launch browsers. Headless browsers are sometimes used to perform DDoS attacks on websites, increase advertisement impressions, or automate websites in unintended ways. Activate this policy to protect your site from these attacks.

Anti-scraping

Challenge or block requests when a user or device uses an automation tool with rapid and aggressive scraping practices.

In certain cases, you may want to disable this policy. For example, if you have a travel website with aggregated data and want to allow partners to extract and display information on their own sites.

Was this article helpful?

Edit on GitHub