The Gcore Customer Portal is being updated. Screenshots may not show the current version.
Chosen image

Anti-automation and bot protection

WAAP uses advanced behavioral analysis to block non-human traffic from accessing your application. Such traffic includes scanners, bots, and other automated tools.

To protect your site from malicious attacks, we use JavaScript injection. This method ensures that we get all the necessary information needed to block automated traffic from reaching your origin server. At the same time, all known bots, such as search engines, can still access your app.

Configure policy group

Our WAAP includes a pre-defined Anti-automation & bot protection policy group to protect your site from automated traffic. You can review the policy group and enable or disable its policies in the Gcore Customer Portal:

1. Navigate to WAAP > Domains.

Domains page in the Customer Portal

2. Find the domain where you want to configure the policy and click the domain name to open it.

3. In the sidebar menu, click WAAP.

4. On the Policies page that opens, click Anti-automation and bot protection to expand the section and adjust the policies.

WAAP policies page with the highlighted Anti-automation and bot protection policy

Only the Traffic anomaly policy is enabled by default. To activate other policies, turn on the toggles near those policies.

Traffic anomaly

Challenge or block requests when the user or device doesn’t maintain cookies or execute JavaScript correctly. If this happens, users are presented with either CAPTCHA or JavaScript validation screen.

Automated clients

Challenge or block requests from automated sessions. Automated clients are usually bots looking to hack, spam, spy, or generally compromise your website. Activating this policy will detect these types of requests and force human interaction.

You can review a list of known bots and allow or block their activity within the common automated services policy group. Learn more about enabling and troubleshooting WAF bot protection in our dedicated guide.

Headless browsers

Challenge or block requests from users or devices that use automation tools to launch browsers. Headless browsers are sometimes used to perform DDoS attacks on websites, increase advertisement impressions, or automate websites in unintended ways. Activate this policy to protect your site from these types of attacks.


Challenge or block requests when a user or device uses an automation tool with rapid and aggressive scraping practices.

In certain cases, you may want to disable this policy. For example, if you have a travel website with aggregated data and you want to allow your partner sites to extract and display information on their own.

Was this article helpful?