| Tag name | API slug | Description |
|---|---|---|
| Abnormal Dynamic Requests | abnormaldynamicrequests | This session makes a high number of requests based on the site’s average number of requests. |
| Abnormal Request Volume | abnormalrequestvolume | The traffic from this client is relatively high for this domain. |
| Abnormal Traffic Volume | abnormaltrafficvolume | The traffic from this IP is relatively high for this domain. |
| Ajax Scraper | ajaxscraper | The number of ajax requests in this session is much higher compared to other sessions on this domain. |
| Anonymized Traffic | anonymizedtraffic | This IP’s provisioned traffic has several requests from an unidentified client. |
| Anonymizer Fingerprint | anonymizedfp | This fingerprint belongs to an anonymizer service. |
| Apache Struts | aps | This client attempted to exploit an Apache Struts vulnerability. |
| API Admin Access | apiadminaccess | This request is accessing an API endpoint with admin privileges. |
| API Admin User | apiadminuser | This client has been identified as an API admin user. |
| API Privileged Access | apiprivilegedaccess | This request is accessing an API endpoint with privileged access. |
| API Privileged User | apiprivilegeduser | This client has been identified as an API privileged user. |
| Auth Endpoint | authendpoint | This request is targeting an authentication endpoint. |
| Authentic User Agent | authenticuseragent | The user agent reported by the client is valid. |
| Automated Client | automatedclient | This client made identical, automated requests to the site’s resources. |
| Automated Dynamic Requests | automateddynamicrequests | This client made automated requests to the site’s dynamic pages. |
| Automation Driver | automationdriver | This client uses an unidentified headless browser. |
| BlockList.de | blocklistde | This malicious client was detected by BlockList.de. |
| Botnet Client | botnetclient | This IP is part of a botnet network. |
| Browser Based Bot | browserbasedbot | This session attempts to refresh the same page continuously to check for any changes. |
| Brute Force Attempt | bruteforceattempt | This client attempted to forcefully enter a web application’s login page. |
| Captcha Farm Bot Fingerprint | captchafarmbotfp | This client’s fingerprint failed the CAPTCHA challenge multiple times. |
| Captcha Farm Bot Usertag | captchafarmbotut | The client associated with this UserTag failed the CAPTCHA challenge multiple times. |
| Captcha Validation Failed | captchavalidationfailed | The CAPTCHA challenge was completed by a CAPTCHA farm. Thus, the user isn’t legitimate. |
| Cart Checkout | cartcheckout | This client initiated a cart checkout process. |
| Client Flood | clientflood | Multiple clients behind this IP perform requests simultaneously. |
| CMS Scanner | cmsscanner | This client scans web applications to find specific content management system administration or vulnerable pages. |
| Code Injection | cij | This client attempted to inject his code into the web application. |
| Common Web Application Vulnerabilities | cfg | This client attempted to exploit a common web application vulnerability. |
| Confirmed API | confirmedapi | This request has been confirmed as an API call. |
| Confirmed Automation | confirmedautomation | This client has been confirmed as being automated, based on the client’s behavior and the inability to pass WAAP response pages. |
| Content Delivery Network | cdn | This range belongs to a content delivery network company. |
| Content Scraper | contentscraper | This client is scraping content from the website. |
| Cross Site Request Forgery | csrf | This client attempted an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. |
| Cross-Site Scripting | xss | This client attempted Cross-Site Scripting (XSS) injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code. |
| DDOS Client | ddosclient | This IP was part of multiple DDoS attacks on this domain. |
| DOM Automation | domautomation | This client uses a document object model automation tool to make requests to this site. |
| Drupal Admin | drupaladmin | This client is the admin of this Drupal site. |
| Drupal Domain | drupaldomain | This domain is identified as a Drupal-based website. |
| Dynamic Page Scraper | injectedscraper | The number of dynamic requests in this session is much higher compared to other sessions on this domain. |
| Evasive Client | evasiveclient | This client failed to return a JavaScript fingerprint. |
| Evasive Traffic | evasivetraffic | This IP had multiple sessions that failed to return a JavaScript fingerprint. |
| Exceptionally High Request Volume | exceptionallyhighrequestvolume | This session made a high number of requests. Thus, it was blocked. |
| Extreme risk IP | extremeriskip | This IP has been identified as having extreme risk level. |
| Fake User-Agent | fakeuseragent | This client has been identified with a user agent that’s not compatible with browser properties. |
| Fast Form Submission | fastformsubmission | The duration between POST and GET requests is noticeably higher than the average duration for this domain. |
| Glove Extension | gloveextension | This client installed the Glove extension. |
| Headless Browser | headlessbrowser | This client uses a web browser without a graphical user interface (GUI). |
| Headless Browser Fingerprint | headlessbrowserfp | This client has a fingerprint of a headless browser. |
| High risk IP | highriskip | This IP has been identified as having high risk level. |
| Hosting Services | hostingservices | This IP belongs to a web hosting company. |
| Identified Automation | identifiedautomation | This client has been identified as being automated based on its behavior. |
| Ignore CCN Detection | ignoreccndetection | Ignore credit card number detection for this request. |
| Ignore Email Address Detection | ignoreemailaddressdetection | Ignore email address detection for this request. |
| Ignore Open Redirect | ignoreopenredirect | Ignore open redirect detection for this request. |
| Ignore Phone Number Detection | ignorephonenumberdetection | Ignore phone number detection for this request. |
| Ignore SSN Detection | ignoressndetection | Ignore social security number detection for this request. |
| Ignored Automation | ignoredautomation | This client’s automation has been explicitly ignored. |
| Indicate API Admin User | indicateapiadminuser | This request indicates an API admin user. |
| Indicate API Privileged User | indicateapiprivilegeduser | This request indicates an API privileged user. |
| Injection Attack | injectionattack | This client has been identified as a confirmed perpetrator of injection attacks. |
| Injection Attempt | injectionattempt | Multiple injection attempts were detected. |
| Intensive Traffic from Fingerprint | intensivetrafficfromfp | There is prolonged traffic coming from this fingerprint. |
| Invalid Captcha Validator | invalidcaptchavalidator | The client has completed the CAPTCHA challenge automatically. |
| Invalid Cookie | invalidcookie | This client presented invalid Gcore’s WAAP cookies. |
| Invalid Extensions String | invalidextensionsstring | This request contains an invalid extensions string. |
| Invalid Extensions String Requests | invalidextensionsstringrequests | Multiple requests with invalid extensions strings were detected. |
| Invalid Fingerprint | invalidfp | This client’s fingerprint is not valid. |
| Invalid Headers | invalidheaders | The request includes invalid header names or values according to RFC-9110. |
| Invalid User Agents | uag | This client has an invalid user agent, a request header string that lets servers and network peers identify the application, operating system, vendor, or version of the client. |
| IP Swapper | ipswapper | This client is switching IPs. |
| Item Added to Cart | itemaddedtocart | This client added an item to the shopping cart. |
| Joomla Admin | joomlaadmin | This client is the admin of this Joomla site. |
| Katalon Extension | katalonextension | This client installed the Katalon extension. |
| Known Bot | knownbot | This client is a known bot. |
| Legitimate Activity | legitimateactivity | This client’s activity has been identified as legitimate. |
| Local File Inclusion | lfi | This client attempted to trick the web application into including local files with malicious code. |
| Logged In | loggedin | This client is logged in. |
| Logged In User | loggedinuser | This client has been identified as a logged in user. |
| Login Page | loginpage | This request is targeting a login page. |
| Low risk IP | lowriskip | This IP has been identified as having low risk level. |
| Magento Admin | magentoadmin | This client is the admin for this Magento site. |
| Magento Domain | magentodomain | This domain is identified as a Magento-based website. |
| Malicious Activity | maliciousactivity | This client’s activity has been identified as malicious. |
| Malicious Crawler | maliciouscrawler | This client violates robots.txt directives. |
| Malicious TLS Fingerprint | malicioustlsfingerprint | This client has a TLS fingerprint associated with malicious activity. |
| Mechanical Requests | mechanicalrequests | This client makes requests at a steady rate. |
| Medium risk IP | mediumriskip | This IP has been identified as having medium risk level. |
| Modx Admin | modxadmin | This client is the admin of this Modex site. |
| Monitor | monitor | This request is being monitored. |
| Mouse Device | mousedevice | This client uses a device with a mouse. |
| MOZ Automation Extension | mozautomationextension | This client installed a suspicious extension. |
| Multiple Captcha Validation Fails | multiplecaptchavalidationfails | This client failed the captcha challenge multiple times. |
| Multiple Client Errors | multipleclienterrors | This client received multiple, consecutive 4XX errors. |
| Multiple Concurrent Clients | multipleconcurrentclients | Multiple stable sessions are coming from this IP. |
| Multiple Consecutive Challenges | multipleconsecutivechallenges | This client didn’t complete challenges for multiple consecutive sessions. |
| Multiple Errors | multipleerrors | A session that attempts to map a web application’s directory structure. |
| Multiple Failed Auth Attempts | multiplefailedauthattempts | This client has multiple failed authentication attempts. |
| Multiple Failed Challenges | multiplefailedchallenges | This session failed challenges multiple times. |
| Multiple Fake User Agent Sessions | multiplefakeuasessions | This IP had multiple sessions with a user agent that didn’t match the actual client type. |
| Multiple Forbidden Access Attempts | multipleforbiddenaccessattempts | This client has multiple forbidden access attempts. |
| Multiple Forbidden Ajax Requests | multipleforbiddenajaxrequests | This IP was forbidden in multiple, consecutive AJAX requests. |
| Multiple Forbidden Requests | multipleforbiddenrequests | This IP was denied access in multiple requests. |
| Multiple Invalid Auth Token | multipleinvalidauthtoken | This client has presented multiple invalid authentication tokens. |
| Multiple Invalid Cookies | multipleinvalidcookies | This client presented multiple invalid Gcore’s WAAP cookies. |
| Multiple Large Sessions | multiplelargesessions | Multiple clients behind this IP have a high number of requests. |
| Multiple No Event Sessions | multiplenoeventsessions | This client had multiple sessions with no UI events. |
| Multiple Refreshed Pages | multiplerefreshedpages | This client refreshed the same URL multiple times consecutively. |
| Multiple Repeated Requests | multiplerepeatedrequests | The IP address is making multiple repeated requests to a domain. |
| Multiple Repeated Violations | multiplerepeatedviolations | This client repeatedly failed to complete challenges. As a result, it was confirmed to be automated. |
| No Browser Ajax Calls | nobrowserajaxcalls | This client made requests to AJAX URLs without a browser. |
| No Plugins Fingerprint | nopluginsfp | This client’s fingerprint indicates that the client’s browser doesn’t have a plugin installed. |
| No risk IP | noriskip | This IP has been identified as having no risk level. |
| No UI Events | nouievents | This client didn’t create UI events. |
| Non Scriptable Client | nonscriptableclient | This client doesn’t have a JavaScript engine. |
| Open Redirect | ord | An open redirect attack has been detected. These attacks happen when an attacker manipulates URL queries to redirect users offsite. |
| Paid | paid | This client has completed a payment. |
| Paying User | payinguser | This client has been identified as a paying user. |
| Penalty | penalty | This client has received a penalty. |
| Personal Identifiable Information | pii | An exposure of personally identifiable information was detected. |
| PhantomJS | phantomjs | This client uses PhantomJS, a scripted, headless browser used for automating web page interaction. |
| Pimcore Domain | pimcoredomain | This domain is identified as a Pimcore-based website. |
| PimCore Admin | pimcoreadmin | The PimCore cookie for logged-in admin users was detected. |
| Prolonged Ajax Traffic | prolongedajaxtraffic | The AJAX requests from this IP continued for a long time. |
| Prolonged API Traffic | prolongedapitraffic | The API requests from this IP continued for a long time. |
| Prolonged Dynamic Traffic | prolongedinjectedtraffic | The dynamic requests from this IP continued for a long time. |
| Prolonged Not Injected Traffic | prolongednotinjectedtraffic | The requests from this IP continued for a long time. |
| Protocol Attack | rhi | A protocol attack was detected. |
| Proxy Network | proxynetwork | This IP is part of the anonymizer proxy network. |
| Rapid Requests | rapidbehaviour | This client made multiple fast requests in one or multiple sessions. |
| Registered | registered | This client is registered. |
| Registered User | registereduser | This client has been identified as a registered user. |
| Remote File Inclusion | rfi | This client attempted to trick the web application into including remote files with malicious code. |
| Request Maker Extension | requestmakerextension | This client installed the Request Maker extension. |
| Scanner | scanner | A client that scans web applications. |
| Selenium | selenium | This client uses Selenium, a portable software-testing framework for web applications. |
| Selenium Extension | seleniumextension | This client installed the Selenium extension. |
| Sensitive Data Exposure | sde | An exposure of sensitive data was detected. |
| Server-Side Template Injection | ssti | This client attempted a server-side template injection attack. |
| Session via Multiple Countries | multiplecountries | This client changed their country-of-origin multiple times in this session. |
| Sessionless Client | sessionlessclient | This client doesn’t maintain a session. |
| Shell Injection | shi | A shell (command) injection attack was detected. |
| ShellShock Attack | shs | This client attempted a ShellShock vulnerability, which in Bash allows remote code execution without confirmation. |
| Sideex Extension | sideexextension | This client installed the Sidexx extension. |
| Site Mapper | sitemapper | This client attempts to map a web application’s directory structure. |
| SP Honeypot Scanner | baitscanner | This IP was detected by scanning random servers. |
| Spam Bot | spambot | This IP’s client uses automation to generate multiple POST events that are suspected of being spam. |
| Spam Client | spamclient | This client made multiple consecutive POST requests with no referrer header. |
| Spamhaus | spamhaus | This malicious client was detected by Spamhaus. |
| SQL Injection | sql | This client attempted insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data, etc. |
| Static Scraper | staticscraper | The number of static requests in this session is much higher compared to other sessions on this domain. |
| Stop Forum Spam | stopforumspam | This malicious client was detected by Stop Forum Spam. |
| Suspected Automation | suspectedautomation | This traffic is suspected of being automated based on the traffic’s behavior. |
| Suspected Automation Fingerprint | suspiciousfp | This fingerprint belongs to a suspicious client. |
| Suspected Automation User Tag | suspiciousut | This user tag belongs to a suspicious client. |
| Suspected Proxy Network | suspectedproxynetwork | This IP is suspected of being part of a proxy network. |
| Suspicious Local IP | suspiciouslocalip | This session is making a high number of web page requests. |
| Suspicious Scraper | notinjectedscraper | The number of suspicious requests in this session is much higher compared to other sessions on this domain. |
| Thousand Eyes Extension | thousandeyesextension | This client installed the Thousand Eyes extension. |
| TOR Network | tor | This client is part of a TOR anonymizer network. |
| Touch Device | touchdevice | This client uses a touch device. |
| UI Events Pause | uieventspause | This client stopped creating UI events. |
| Unique Fingerprint | fpunique | There is a high probability that this fingerprint represents a single client. |
| Unverified Anonymized Fingerprint | unverifiedanonymizedfp | This fingerprint is suspected of being part of a VPN / proxy network. |
| Verified Headless Browser | verifiedheadlessbrowser | This client has been verified as a headless browser. |
| Visit Multiple Domains | visitmultipledomains | This client has visited a high number of Gcore domains. |
| VPN Network | vpnnetwork | This IP is part of a VPN network service. |
| Vulnerability Scanner | vulnerabilityscanner | A client that scans web applications for vulnerabilities. |
| Vulnerable Resource | vuln | An attempt to access a vulnerable resource was detected. |
| Web Shell | wbs | This client attempted to upload a web shell. A shell-like interface that enables a web server to be remotely accessed, often for cyber-attacks. |
| Webdriver | webdriver | This client is controlled by automated tools. |
| WordPress Admin | wordpressadmin | This client is the admin of this WordPress site. |
| WordPress Admin Detection | wad | A WordPress admin dashboard was detected. |
| WordPress Domain | wordpressdomain | This domain is identified as a WordPress-based website. |
| WordPress Vulnerability | wps | This client attempted to exploit a vulnerability related to the WordPress CMS. |
| XML External Entity | xxe | An XML external entity attack was detected. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, and other system impacts. |
Tag rules
Predefined tags and their descriptions
We offer a range of predefined tags that you can use to filter and sanction web requests. These tags are generated by a behavioral component, which analyzes the traffic based on heuristics and AI models. Using these tags, you can configure tag-based rules both in the Customer Portal and via API.
Check the following table for a full list of predefined tags, their API slugs, and descriptions. For details on how to create tag-based rules, check our dedicated guide.