> ## Documentation Index
> Fetch the complete documentation index at: https://gcore.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Predefined tags and their descriptions

We offer a range of predefined tags that you can use to filter and sanction web requests. These tags are generated by a behavioral component, which analyzes the traffic based on heuristics and AI models. Using these tags, you can configure tag-based rules both in the Customer Portal and via API.

Check the following table for a full list of predefined tags, their API slugs, and descriptions. For details on how to create tag-based rules, check our [dedicated guide](/waap/waap-rules/custom-rules/tag-rules).

| Tag name                               | API slug                        | Description                                                                                                                                                                                                                       |
| -------------------------------------- | ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Abnormal Dynamic Requests              | abnormaldynamicrequests         | This session makes a high number of requests based on the site's average number of requests.                                                                                                                                      |
| Abnormal Request Volume                | abnormalrequestvolume           | The traffic from this client is relatively high for this domain.                                                                                                                                                                  |
| Abnormal Traffic Volume                | abnormaltrafficvolume           | The traffic from this IP is relatively high for this domain.                                                                                                                                                                      |
| Ajax Scraper                           | ajaxscraper                     | The number of ajax requests in this session is much higher compared to other sessions on this domain.                                                                                                                             |
| Anonymized Traffic                     | anonymizedtraffic               | This IP's provisioned traffic has several requests from an unidentified client.                                                                                                                                                   |
| Anonymizer Fingerprint                 | anonymizedfp                    | This fingerprint belongs to an anonymizer service.                                                                                                                                                                                |
| Apache Struts                          | aps                             | This client attempted to exploit an Apache Struts vulnerability.                                                                                                                                                                  |
| API Admin Access                       | apiadminaccess                  | This request is accessing an API endpoint with admin privileges.                                                                                                                                                                  |
| API Admin User                         | apiadminuser                    | This client has been identified as an API admin user.                                                                                                                                                                             |
| API Privileged Access                  | apiprivilegedaccess             | This request is accessing an API endpoint with privileged access.                                                                                                                                                                 |
| API Privileged User                    | apiprivilegeduser               | This client has been identified as an API privileged user.                                                                                                                                                                        |
| Auth Endpoint                          | authendpoint                    | This request is targeting an authentication endpoint.                                                                                                                                                                             |
| Authentic User Agent                   | authenticuseragent              | The user agent reported by the client is valid.                                                                                                                                                                                   |
| Automated Client                       | automatedclient                 | This client made identical, automated requests to the site's resources.                                                                                                                                                           |
| Automated Dynamic Requests             | automateddynamicrequests        | This client made automated requests to the site's dynamic pages.                                                                                                                                                                  |
| Automation Driver                      | automationdriver                | This client uses an unidentified headless browser.                                                                                                                                                                                |
| BlockList.de                           | blocklistde                     | This malicious client was detected by BlockList.de.                                                                                                                                                                               |
| Botnet Client                          | botnetclient                    | This IP is part of a botnet network.                                                                                                                                                                                              |
| Browser Based Bot                      | browserbasedbot                 | This session attempts to refresh the same page continuously to check for any changes.                                                                                                                                             |
| Brute Force Attempt                    | bruteforceattempt               | This client attempted to forcefully enter a web application's login page.                                                                                                                                                         |
| Captcha Farm Bot Fingerprint           | captchafarmbotfp                | This client's fingerprint failed the CAPTCHA challenge multiple times.                                                                                                                                                            |
| Captcha Farm Bot Usertag               | captchafarmbotut                | The client associated with this UserTag failed the CAPTCHA challenge multiple times.                                                                                                                                              |
| Captcha Validation Failed              | captchavalidationfailed         | The CAPTCHA challenge was completed by a CAPTCHA farm. Thus, the user isn't legitimate.                                                                                                                                           |
| Cart Checkout                          | cartcheckout                    | This client initiated a cart checkout process.                                                                                                                                                                                    |
| Client Flood                           | clientflood                     | Multiple clients behind this IP perform requests simultaneously.                                                                                                                                                                  |
| CMS Scanner                            | cmsscanner                      | This client scans web applications to find specific content management system administration or vulnerable pages.                                                                                                                 |
| Code Injection                         | cij                             | This client attempted to inject his code into the web application.                                                                                                                                                                |
| Common Web Application Vulnerabilities | cfg                             | This client attempted to exploit a common web application vulnerability.                                                                                                                                                          |
| Confirmed API                          | confirmedapi                    | This request has been confirmed as an API call.                                                                                                                                                                                   |
| Confirmed Automation                   | confirmedautomation             | This client has been confirmed as being automated, based on the client's behavior and the inability to pass WAAP response pages.                                                                                                  |
| Content Delivery Network               | cdn                             | This range belongs to a content delivery network company.                                                                                                                                                                         |
| Content Scraper                        | contentscraper                  | This client is scraping content from the website.                                                                                                                                                                                 |
| Cross Site Request Forgery             | csrf                            | This client attempted an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.                                                                                |
| Cross-Site Scripting                   | xss                             | This client attempted Cross-Site Scripting (XSS) injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code. |
| DDOS Client                            | ddosclient                      | This IP was part of multiple DDoS attacks on this domain.                                                                                                                                                                         |
| DOM Automation                         | domautomation                   | This client uses a document object model automation tool to make requests to this site.                                                                                                                                           |
| Drupal Admin                           | drupaladmin                     | This client is the admin of this Drupal site.                                                                                                                                                                                     |
| Drupal Domain                          | drupaldomain                    | This domain is identified as a Drupal-based website.                                                                                                                                                                              |
| Dynamic Page Scraper                   | injectedscraper                 | The number of dynamic requests in this session is much higher compared to other sessions on this domain.                                                                                                                          |
| Evasive Client                         | evasiveclient                   | This client failed to return a JavaScript fingerprint.                                                                                                                                                                            |
| Evasive Traffic                        | evasivetraffic                  | This IP had multiple sessions that failed to return a JavaScript fingerprint.                                                                                                                                                     |
| Exceptionally High Request Volume      | exceptionallyhighrequestvolume  | This session made a high number of requests. Thus, it was blocked.                                                                                                                                                                |
| Extreme risk IP                        | extremeriskip                   | This IP has been identified as having extreme risk level.                                                                                                                                                                         |
| Fake User-Agent                        | fakeuseragent                   | This client has been identified with a user agent that's not compatible with browser properties.                                                                                                                                  |
| Fast Form Submission                   | fastformsubmission              | The duration between POST and GET requests is noticeably higher than the average duration for this domain.                                                                                                                        |
| Glove Extension                        | gloveextension                  | This client installed the Glove extension.                                                                                                                                                                                        |
| Headless Browser                       | headlessbrowser                 | This client uses a web browser without a graphical user interface (GUI).                                                                                                                                                          |
| Headless Browser Fingerprint           | headlessbrowserfp               | This client has a fingerprint of a headless browser.                                                                                                                                                                              |
| High risk IP                           | highriskip                      | This IP has been identified as having high risk level.                                                                                                                                                                            |
| Hosting Services                       | hostingservices                 | This IP belongs to a web hosting company.                                                                                                                                                                                         |
| Identified Automation                  | identifiedautomation            | This client has been identified as being automated based on its behavior.                                                                                                                                                         |
| Ignore CCN Detection                   | ignoreccndetection              | Ignore credit card number detection for this request.                                                                                                                                                                             |
| Ignore Email Address Detection         | ignoreemailaddressdetection     | Ignore email address detection for this request.                                                                                                                                                                                  |
| Ignore Open Redirect                   | ignoreopenredirect              | Ignore open redirect detection for this request.                                                                                                                                                                                  |
| Ignore Phone Number Detection          | ignorephonenumberdetection      | Ignore phone number detection for this request.                                                                                                                                                                                   |
| Ignore SSN Detection                   | ignoressndetection              | Ignore social security number detection for this request.                                                                                                                                                                         |
| Ignored Automation                     | ignoredautomation               | This client's automation has been explicitly ignored.                                                                                                                                                                             |
| Indicate API Admin User                | indicateapiadminuser            | This request indicates an API admin user.                                                                                                                                                                                         |
| Indicate API Privileged User           | indicateapiprivilegeduser       | This request indicates an API privileged user.                                                                                                                                                                                    |
| Injection Attack                       | injectionattack                 | This client has been identified as a confirmed perpetrator of injection attacks.                                                                                                                                                  |
| Injection Attempt                      | injectionattempt                | Multiple injection attempts were detected.                                                                                                                                                                                        |
| Intensive Traffic from Fingerprint     | intensivetrafficfromfp          | There is prolonged traffic coming from this fingerprint.                                                                                                                                                                          |
| Invalid Captcha Validator              | invalidcaptchavalidator         | The client has completed the CAPTCHA challenge automatically.                                                                                                                                                                     |
| Invalid Cookie                         | invalidcookie                   | This client presented invalid Gcore's WAAP cookies.                                                                                                                                                                               |
| Invalid Extensions String              | invalidextensionsstring         | This request contains an invalid extensions string.                                                                                                                                                                               |
| Invalid Extensions String Requests     | invalidextensionsstringrequests | Multiple requests with invalid extensions strings were detected.                                                                                                                                                                  |
| Invalid Fingerprint                    | invalidfp                       | This client's fingerprint is not valid.                                                                                                                                                                                           |
| Invalid Headers                        | invalidheaders                  | The request includes invalid header names or values according to [RFC-9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5).                                                                                               |
| Invalid User Agents                    | uag                             | This client has an invalid user agent, a request header string that lets servers and network peers identify the application, operating system, vendor, or version of the client.                                                  |
| IP Swapper                             | ipswapper                       | This client is switching IPs.                                                                                                                                                                                                     |
| Item Added to Cart                     | itemaddedtocart                 | This client added an item to the shopping cart.                                                                                                                                                                                   |
| Joomla Admin                           | joomlaadmin                     | This client is the admin of this Joomla site.                                                                                                                                                                                     |
| Katalon Extension                      | katalonextension                | This client installed the Katalon extension.                                                                                                                                                                                      |
| Known Bot                              | knownbot                        | This client is a known bot.                                                                                                                                                                                                       |
| Legitimate Activity                    | legitimateactivity              | This client's activity has been identified as legitimate.                                                                                                                                                                         |
| Local File Inclusion                   | lfi                             | This client attempted to trick the web application into including local files with malicious code.                                                                                                                                |
| Logged In                              | loggedin                        | This client is logged in.                                                                                                                                                                                                         |
| Logged In User                         | loggedinuser                    | This client has been identified as a logged in user.                                                                                                                                                                              |
| Login Page                             | loginpage                       | This request is targeting a login page.                                                                                                                                                                                           |
| Low risk IP                            | lowriskip                       | This IP has been identified as having low risk level.                                                                                                                                                                             |
| Magento Admin                          | magentoadmin                    | This client is the admin for this Magento site.                                                                                                                                                                                   |
| Magento Domain                         | magentodomain                   | This domain is identified as a Magento-based website.                                                                                                                                                                             |
| Malicious Activity                     | maliciousactivity               | This client's activity has been identified as malicious.                                                                                                                                                                          |
| Malicious Crawler                      | maliciouscrawler                | This client violates robots.txt directives.                                                                                                                                                                                       |
| Malicious TLS Fingerprint              | malicioustlsfp                  | This client has a TLS [fingerprint](/waap/threat-intelligence/tls-fingerprinting) associated with malicious activity.                                                                                                             |
| Mechanical Requests                    | mechanicalrequests              | This client makes requests at a steady rate.                                                                                                                                                                                      |
| Medium risk IP                         | mediumriskip                    | This IP has been identified as having medium risk level.                                                                                                                                                                          |
| Modx Admin                             | modxadmin                       | This client is the admin of this Modex site.                                                                                                                                                                                      |
| Monitor                                | monitor                         | This request is being monitored.                                                                                                                                                                                                  |
| Mouse Device                           | mousedevice                     | This client uses a device with a mouse.                                                                                                                                                                                           |
| MOZ Automation Extension               | mozautomationextension          | This client installed a suspicious extension.                                                                                                                                                                                     |
| Multiple Captcha Validation Fails      | multiplecaptchavalidationfails  | This client failed the captcha challenge multiple times.                                                                                                                                                                          |
| Multiple Client Errors                 | multipleclienterrors            | This client received multiple, consecutive 4XX errors.                                                                                                                                                                            |
| Multiple Concurrent Clients            | multipleconcurrentclients       | Multiple stable sessions are coming from this IP.                                                                                                                                                                                 |
| Multiple Consecutive Challenges        | multipleconsecutivechallenges   | This client didn't complete challenges for multiple consecutive sessions.                                                                                                                                                         |
| Multiple Errors                        | multipleerrors                  | A session that attempts to map a web application's directory structure.                                                                                                                                                           |
| Multiple Failed Auth Attempts          | multiplefailedauthattempts      | This client has multiple failed authentication attempts.                                                                                                                                                                          |
| Multiple Failed Challenges             | multiplefailedchallenges        | This session failed challenges multiple times.                                                                                                                                                                                    |
| Multiple Fake User Agent Sessions      | multiplefakeuasessions          | This IP had multiple sessions with a user agent that didn't match the actual client type.                                                                                                                                         |
| Multiple Forbidden Access Attempts     | multipleforbiddenaccessattempts | This client has multiple forbidden access attempts.                                                                                                                                                                               |
| Multiple Forbidden Ajax Requests       | multipleforbiddenajaxrequests   | This IP was forbidden in multiple, consecutive AJAX requests.                                                                                                                                                                     |
| Multiple Forbidden Requests            | multipleforbiddenrequests       | This IP was denied access in multiple requests.                                                                                                                                                                                   |
| Multiple Invalid Auth Token            | multipleinvalidauthtoken        | This client has presented multiple invalid authentication tokens.                                                                                                                                                                 |
| Multiple Invalid Cookies               | multipleinvalidcookies          | This client presented multiple invalid Gcore's WAAP cookies.                                                                                                                                                                      |
| Multiple Large Sessions                | multiplelargesessions           | Multiple clients behind this IP have a high number of requests.                                                                                                                                                                   |
| Multiple No Event Sessions             | multiplenoeventsessions         | This client had multiple sessions with no UI events.                                                                                                                                                                              |
| Multiple Refreshed Pages               | multiplerefreshedpages          | This client refreshed the same URL multiple times consecutively.                                                                                                                                                                  |
| Multiple Repeated Requests             | multiplerepeatedrequests        | The IP address is making multiple repeated requests to a domain.                                                                                                                                                                  |
| Multiple Repeated Violations           | multiplerepeatedviolations      | This client repeatedly failed to complete challenges. As a result, it was confirmed to be automated.                                                                                                                              |
| No Browser Ajax Calls                  | nobrowserajaxcalls              | This client made requests to AJAX URLs without a browser.                                                                                                                                                                         |
| No Plugins Fingerprint                 | nopluginsfp                     | This client's fingerprint indicates that the client's browser doesn't have a plugin installed.                                                                                                                                    |
| No risk IP                             | noriskip                        | This IP has been identified as having no risk level.                                                                                                                                                                              |
| No UI Events                           | nouievents                      | This client didn't create UI events.                                                                                                                                                                                              |
| Non Scriptable Client                  | nonscriptableclient             | This client doesn't have a JavaScript engine.                                                                                                                                                                                     |
| Open Redirect                          | ord                             | An open redirect attack has been detected. These attacks happen when an attacker manipulates URL queries to redirect users offsite.                                                                                               |
| Paid                                   | paid                            | This client has completed a payment.                                                                                                                                                                                              |
| Paying User                            | payinguser                      | This client has been identified as a paying user.                                                                                                                                                                                 |
| Penalty                                | penalty                         | This client has received a penalty.                                                                                                                                                                                               |
| Personal Identifiable Information      | pii                             | An exposure of personally identifiable information was detected.                                                                                                                                                                  |
| PhantomJS                              | phantomjs                       | This client uses PhantomJS, a scripted, headless browser used for automating web page interaction.                                                                                                                                |
| Pimcore Domain                         | pimcoredomain                   | This domain is identified as a Pimcore-based website.                                                                                                                                                                             |
| PimCore Admin                          | pimcoreadmin                    | The PimCore cookie for logged-in admin users was detected.                                                                                                                                                                        |
| Prolonged Ajax Traffic                 | prolongedajaxtraffic            | The AJAX requests from this IP continued for a long time.                                                                                                                                                                         |
| Prolonged API Traffic                  | prolongedapitraffic             | The API requests from this IP continued for a long time.                                                                                                                                                                          |
| Prolonged Dynamic Traffic              | prolongedinjectedtraffic        | The dynamic requests from this IP continued for a long time.                                                                                                                                                                      |
| Prolonged Not Injected Traffic         | prolongednotinjectedtraffic     | The requests from this IP continued for a long time.                                                                                                                                                                              |
| Protocol Attack                        | rhi                             | A protocol attack was detected.                                                                                                                                                                                                   |
| Proxy Network                          | proxynetwork                    | This IP is part of the anonymizer proxy network.                                                                                                                                                                                  |
| Rapid Requests                         | rapidbehaviour                  | This client made multiple fast requests in one or multiple sessions.                                                                                                                                                              |
| Registered                             | registered                      | This client is registered.                                                                                                                                                                                                        |
| Registered User                        | registereduser                  | This client has been identified as a registered user.                                                                                                                                                                             |
| Remote File Inclusion                  | rfi                             | This client attempted to trick the web application into including remote files with malicious code.                                                                                                                               |
| Request Maker Extension                | requestmakerextension           | This client installed the Request Maker extension.                                                                                                                                                                                |
| Scanner                                | scanner                         | A client that scans web applications.                                                                                                                                                                                             |
| Selenium                               | selenium                        | This client uses Selenium, a portable software-testing framework for web applications.                                                                                                                                            |
| Selenium Extension                     | seleniumextension               | This client installed the Selenium extension.                                                                                                                                                                                     |
| Sensitive Data Exposure                | sde                             | An exposure of sensitive data was detected.                                                                                                                                                                                       |
| Server-Side Template Injection         | ssti                            | This client attempted a server-side template injection attack.                                                                                                                                                                    |
| Session via Multiple Countries         | multiplecountries               | This client changed their country-of-origin multiple times in this session.                                                                                                                                                       |
| Sessionless Client                     | sessionlessclient               | This client doesn't maintain a session.                                                                                                                                                                                           |
| Shell Injection                        | shi                             | A shell (command) injection attack was detected.                                                                                                                                                                                  |
| ShellShock Attack                      | shs                             | This client attempted a ShellShock vulnerability, which in Bash allows remote code execution without confirmation.                                                                                                                |
| Sideex Extension                       | sideexextension                 | This client installed the Sidexx extension.                                                                                                                                                                                       |
| Site Mapper                            | sitemapper                      | This client attempts to map a web application's directory structure.                                                                                                                                                              |
| SP Honeypot Scanner                    | baitscanner                     | This IP was detected by scanning random servers.                                                                                                                                                                                  |
| Spam Bot                               | spambot                         | This IP's client uses automation to generate multiple POST events that are suspected of being spam.                                                                                                                               |
| Spam Client                            | spamclient                      | This client made multiple consecutive POST requests with no referrer header.                                                                                                                                                      |
| Spamhaus                               | spamhaus                        | This malicious client was detected by Spamhaus.                                                                                                                                                                                   |
| SQL Injection                          | sql                             | This client attempted insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data, etc.     |
| Static Scraper                         | staticscraper                   | The number of static requests in this session is much higher compared to other sessions on this domain.                                                                                                                           |
| Stop Forum Spam                        | stopforumspam                   | This malicious client was detected by Stop Forum Spam.                                                                                                                                                                            |
| Suspected Automation                   | suspectedautomation             | This traffic is suspected of being automated based on the traffic's behavior.                                                                                                                                                     |
| Suspected Automation Fingerprint       | suspiciousfp                    | This fingerprint belongs to a suspicious client.                                                                                                                                                                                  |
| Suspected Automation User Tag          | suspiciousut                    | This user tag belongs to a suspicious client.                                                                                                                                                                                     |
| Suspected Proxy Network                | suspectedproxynetwork           | This IP is suspected of being part of a proxy network.                                                                                                                                                                            |
| Suspicious Local IP                    | suspiciouslocalip               | This session is making a high number of web page requests.                                                                                                                                                                        |
| Suspicious Scraper                     | notinjectedscraper              | The number of suspicious requests in this session is much higher compared to other sessions on this domain.                                                                                                                       |
| Thousand Eyes Extension                | thousandeyesextension           | This client installed the Thousand Eyes extension.                                                                                                                                                                                |
| TOR Network                            | tor                             | This client is part of a TOR anonymizer network.                                                                                                                                                                                  |
| Touch Device                           | touchdevice                     | This client uses a touch device.                                                                                                                                                                                                  |
| UI Events Pause                        | uieventspause                   | This client stopped creating UI events.                                                                                                                                                                                           |
| Unique Fingerprint                     | fpunique                        | There is a high probability that this fingerprint represents a single client.                                                                                                                                                     |
| Unverified Anonymized Fingerprint      | unverifiedanonymizedfp          | This fingerprint is suspected of being part of a VPN / proxy network.                                                                                                                                                             |
| Verified Headless Browser              | verifiedheadlessbrowser         | This client has been verified as a headless browser.                                                                                                                                                                              |
| Visit Multiple Domains                 | visitmultipledomains            | This client has visited a high number of Gcore domains.                                                                                                                                                                           |
| VPN Network                            | vpnnetwork                      | This IP is part of a VPN network service.                                                                                                                                                                                         |
| Vulnerability Scanner                  | vulnerabilityscanner            | A client that scans web applications for vulnerabilities.                                                                                                                                                                         |
| Vulnerable Resource                    | vuln                            | An attempt to access a vulnerable resource was detected.                                                                                                                                                                          |
| Web Shell                              | wbs                             | This client attempted to upload a web shell. A shell-like interface that enables a web server to be remotely accessed, often for cyber-attacks.                                                                                   |
| Webdriver                              | webdriver                       | This client is controlled by automated tools.                                                                                                                                                                                     |
| WordPress Admin                        | wordpressadmin                  | This client is the admin of this WordPress site.                                                                                                                                                                                  |
| WordPress Admin Detection              | wad                             | A WordPress admin dashboard was detected.                                                                                                                                                                                         |
| WordPress Domain                       | wordpressdomain                 | This domain is identified as a WordPress-based website.                                                                                                                                                                           |
| WordPress Vulnerability                | wps                             | This client attempted to exploit a vulnerability related to the WordPress CMS.                                                                                                                                                    |
| XML External Entity                    | xxe                             | An XML external entity attack was detected. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, and other system impacts.                                                |
