We offer a range of predefined tags that you can use to filter and sanction web requests. These tags are generated by a behavioral component, which analyzes the traffic based on heuristics and AI models. Using these tags, you can configure tag-based rules both in the Customer Portal and via API.
Check the following table for a full list of predefined tags, their API slugs, and descriptions. For details on how to create tag-based rules, check our dedicated guide.
Tag name | API slug | Description |
---|---|---|
Abnormal Dynamic Requests | abnormaldynamicrequests | This session makes a high number of requests based on the site's average number of requests. |
Abnormal Request Volume | abnormalrequestvolume | The traffic from this client is relatively high for this domain. |
Abnormal Traffic Volume | abnormaltrafficvolume | The traffic from this IP is relatively high for this domain. |
Abuse.ch | abusech | This malicious client was detected by Abuse.ch. |
Ajax Scraper | ajaxscraper | The number of ajax requests in this session is much higher compared to other sessions on this domain. |
Anonymized Traffic | anonymizedtraffic | This IP's provisioned traffic has several requests from an unidentified client. |
Anonymizer Fingerprint | anonymizedfp | This fingerprint belongs to an anonymizer service. |
Apache Struts | aps | This client attempted to exploit an Apache Struts vulnerability. |
Authentic User Agent | authenticuseragent | The user agent reported by the client is valid. |
Automated Client | automatedclient | This client made identical, automated requests to the site's resources. |
Automated Dynamic Requests | automateddynamicrequests | This client made automated requests to the site's dynamic pages. |
Automation Driver | automationdriver | This client uses an unidentified headless browser. |
BlockList.de | blocklistde | This malicious client was detected by BlockList.de. |
Botnet Client | botnetclient | This IP is part of a botnet network. |
Browser Based Bot | browserbasedbot | This session attempts to refresh the same page continuously to check for any changes. |
Brute Force Attempt | bruteforceattempt | This client attempted to forcefully enter a web application's login page. |
Captcha Farm Bot Fingerprint | captchafarmbotfp | This client's fingerprint failed the CAPTCHA challenge multiple times. |
Captcha Farm Bot Usertag | captchafarmbotut | The client associated with this UserTag failed the CAPTCHA challenge multiple times. |
Captcha Validation Failed | captchavalidationfailed | The CAPTCHA challenge was completed by a CAPTCHA farm. Thus, the user isn’t legitimate. |
CDN | cdn | This range belongs to a content delivery network company. |
Client Flood | clientflood | Multiple clients behind this IP perform requests simultaneously. |
CMS Scanner | cmsscanner | This client scans web applications to find specific content management system administration or vulnerable pages. |
Code Injection | cij | This client attempted to inject his code into the web application. |
Common Web Application | cfg | This client attempted to exploit a common web application vulnerability. |
Confirmed Automation | confirmedautomation | This client has been confirmed as being automated, based on the client's behavior and the inability to pass WAAP response pages. |
Multiple Repeated Requests | multiplerepeatedrequests | The IP address is making multiple repeated requests to a domain. |
Cross Site Request Forgery | csrf | This client attempted an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. |
Cross Site Scripting | xss | This client attempted Cross-Site Scripting (XSS) injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code. |
DDOS Client | ddosclient | This IP was part of multiple DDoS attacks on this domain. |
DOM Automation | domautomation | This client uses a document object model automation tool to make requests to this site. |
Drupal Admin | drupaladmin | This client is the admin of this Drupal site. |
Dynamic Page Scraper | injectedscraper | The number of dynamic requests in this session is much higher compared to other sessions on this domain. |
Evasive Client | evasiveclient | This client failed to return a JavaScript fingerprint. |
Evasive Traffic | evasivetraffic | This IP had multiple sessions that failed to return a JavaScript fingerprint. |
Exceptionally High Request Volume | exceptionallyhighrequestvolume | This session made a high number of requests. Thus, it was blocked. |
Fake User-Agent | fakeuseragent | This client has been identified with a user agent that’s not compatible with browser properties. |
Fast Form Submission | fastformsubmission | The duration between POST and GET requests is noticeably higher than the average duration for this domain. |
Glove Extension | gloveextension | This client installed the Glove extension. |
Headless Browser | headlessbrowser | This client uses a web browser without a graphical user interface (GUI). |
Headless Browser Fingerprint | headlessbrowserfp | This client has a fingerprint of a headless browser. |
Hosting Services | hostingservices | This IP belongs to a web hosting company. |
Identified Automation | identifiedautomation | This client has been identified as being automated based on its behavior. |
Injection Attack | injectionattack | This client has been identified as a confirmed perpetrator of injection attacks. |
Injection Attempt | injectionattempt | Multiple injection attempts were detected. |
Intensive Traffic from Fingerprint | intensivetrafficfromfp | There is prolonged traffic coming from this fingerprint. |
Invalid Captcha Validator | invalidcaptchavalidator | The client has completed the CAPTCHA challenge automatically. |
Invalid Cookie | invalidcookie | This client presented invalid Gcore’s WAAP cookies. |
Invalid Fingerprint | invalidfp | This client's fingerprint is not valid. |
Invalid User Agents | uag | This client has an invalid user agent, a request header string that lets servers and network peers identify the application, operating system, vendor, or version of the client. |
IP Swapper | ipswapper | This client is switching IPs. |
Joomla Admin | joomlaadmin | This client is the admin of this Joomla site. |
Katalon Extension | katalonextension | This client installed the Katalon extension. |
Known Bot | knownbot | This client is a known bot. |
Local File Inclusion | lfi | This client attempted to trick the web application into including local files with malicious code. |
Magento Admin | magentoadmin | This client is the admin for this Magento site. |
Malicious Crawler | maliciouscrawler | This client violates robots.txt directives. |
Mechanical Requests | mechanicalrequests | This client makes requests at a steady rate. |
Modx Admin | modxadmin | This client is the admin of this Modex site. |
Mouse Device | mousedevice | This client uses a device with a mouse. |
MOZ Automation Extension | mozautomationextension | This client installed a suspicious extension. |
Multiple Captcha Validation Fails | multiplecaptchavalidationfails | This client failed the captcha challenge multiple times. |
Multiple Client Errors | multipleclienterrors | This client received multiple, consecutive 4XX errors. |
Multiple Concurrent Clients | multipleconcurrentclients | Multiple stable sessions are coming from this IP. |
Multiple Consecutive Challenges | multipleconsecutivechallenges | This client didn’t complete challenges for multiple consecutive sessions. |
Multiple Errors | multipleerrors | A session that attempts to map a web application's directory structure. |
Multiple Failed Challenges | multiplefailedchallenges | This session failed challenges multiple times. |
Multiple Fake User Agent Sessions | multiplefakeuasessions | This IP had multiple sessions with a user agent that didn’t match the actual client type. |
Multiple Forbidden Ajax Requests | multipleforbiddenajaxrequests | This IP was forbidden in multiple, consecutive AJAX requests. |
Multiple Forbidden Requests | multipleforbiddenrequests | This IP was denied access in multiple requests. |
Multiple Large Sessions | multiplelargesessions | Multiple clients behind this IP have a high number of requests. |
Multiple No Event Sessions | multiplenoeventsessions | This client had multiple sessions with no UI events. |
Multiple Refreshed Pages | multiplerefreshedpages | This client refreshed the same URL multiple times consecutively. |
Multiple Repeated Violations | multiplerepeatedviolations | This client repeatedly failed to complete challenges. As a result, it was confirmed to be automated. |
No Browser Ajax Calls | nobrowserajaxcalls | This client made requests to AJAX URLs without a browser. |
No Plugins Fingerprint | nopluginsfp | This client's fingerprint indicates that the client's browser doesn’t have a plugin installed. |
No UI Events | nouievents | This client didn’t create UI events. |
Non-Scriptable Client | nonscriptableclient | This client doesn’t have a JavaScript engine. |
Not Unique Fingerprint | fpnotunique | There is a high probability that this fingerprint represents multiple clients. |
Open Redirect | ord | An open redirect attack has been detected. These attacks happen when an attacker manipulates URL queries to redirect users offsite. |
Personal Identifiable Information | pii | An exposure of personally identifiable information was detected. |
PhantomJS | phantomjs | This client uses PhantomJS, a scripted, headless browser used for automating web page interaction. |
PimCore Admin | pimcoreadmin | The PimCore cookie for logged-in admin users was detected. |
Prolonged Ajax Traffic | prolongedajaxtraffic | The AJAX requests from this IP continued for a long time. |
Prolonged API Traffic | prolongedapitraffic | The API requests from this IP continued for a long time. |
Prolonged Dynamic Traffic | prolongedinjectedtraffic | The dynamic requests from this IP continued for a long time. |
Prolonged Not Injected Traffic | prolongednotinjectedtraffic | The requests from this IP continued for a long time. |
Protocol Attack | rhi | A protocol attack was detected. |
Proxy Network | proxynetwork | This IP is part of the anonymizer proxy network. |
Rapid Requests | rapidbehaviour | This client made multiple fast requests in one or multiple sessions. |
Remote File Inclusion | rfi | This client attempted to trick the web application into including remote files with malicious code. |
Request Maker Extension | requestmakerextension | This client installed the Request Maker extension. |
Scanner | scanner | A client that scans web applications. |
Selenium | selenium | This client uses Selenium, a portable software-testing framework for web applications. |
Selenium Extension | seleniumextension | This client installed the Selenium extension. |
Sensitive Data Exposure | sde | An exposure of sensitive data was detected. |
Session via Multiple Countries | multiplecountries | This client changed their country-of-origin multiple times in this session. |
Sessionless Client | sessionlessclient | This client doesn’t maintain a session. |
Shell Injection | shi | A shell (command) injection attack was detected. |
ShellShock Attack | shs | This client attempted a ShellShock vulnerability, which in Bash allows remote code execution without confirmation. |
Sideex Extension | sideexextension | This client installed the Sidexx extension. |
Site Mapper | sitemapper | This client attempts to map a web application's directory structure. |
SP Honeypot Scanner | baitscanner | This IP was detected by scanning random servers. |
Spam Bot | spambot | This IP's client uses automation to generate multiple POST events that are suspected of being spam. |
Spam Client | spamclient | This client made multiple consecutive POST requests with no referrer header. |
Spamhaus | spamhaus | This malicious client was detected by Spamhaus. |
SQL Injection | sql | This client attempted insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data, etc. |
Static Scraper | staticscraper | The number of static requests in this session is much higher compared to other sessions on this domain. |
Stop Forum Spam | stopforumspam | This malicious client was detected by Stop Forum Spam. |
Suspected Automation | suspectedautomation | This traffic is suspected of being automated based on the traffic's behavior. |
Suspected Automation Fingerprint | suspiciousfp | This fingerprint belongs to a suspicious client. |
Suspected Automation User Tag | suspiciousut | This user tag belongs to a suspicious client. |
Suspected Proxy Network | suspectedproxynetwork | This IP is suspected of being part of a proxy network. |
Suspicious Local IP | suspiciouslocalip | This session is making a high number of web page requests. |
Suspicious Scraper | notinjectedscraper | The number of suspicious requests in this session is much higher compared to other sessions on this domain. |
Thousand Eyes Extension | thousandeyesextension | This client installed the Thousand Eyes extension. |
TOR Network | tor | This client is part of a TOR anonymizer network. |
Touch Device | touchdevice | This client uses a touch device. |
UI Events Detected | uieventdetected | This client created UI events. |
UI Events Pause | uieventspause | This client stopped creating UI events. |
Unique Fingerprint | fpunique | There is a high probability that this fingerprint represents a single client. |
Unverified Anonymized Fingerprint | unverifiedanonymizedfp | This fingerprint is suspected of being part of a VPN / proxy network. |
Verified Headless Browser | verifiedheadlessbrowser | This client has been verified as a headless browser. |
Visit Multiple Domains | visitmultipledomains | This client has visited a high number of Gcore domains. |
VPN Network | vpnnetwork | This IP is part of a VPN network service. |
Vulnerability Scanner | vulnerabilityscanner | A client that scans web applications for vulnerabilities. |
Vulnerable Resource | vuln | An attempt to access a vulnerable resource was detected. |
Web Shell | wbs | This client attempted to upload a web shell. A shell-like interface that enables a web server to be remotely accessed, often for cyber-attacks. |
Webdriver | webdriver | This client is controlled by automated tools. |
Wordpress Admin | wordpressadmin | This client is the admin of this WordPress site. |
WordPress Admin Detection | wad | A WordPress admin dashboard was detected. |
WordPress Vulnerability | wps | This client attempted to exploit a vulnerability related to the WordPress CMS. |
XML External Entity | xxe | An XML external entity attack was detected. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, and other system impacts. |
Was this article helpful?