WAAP uses behavioral WAF to block non-human traffic from accessing your application, including scanners, bots, and other automated tools.
To protect your site from malicious attacks, we use JavaScript injection. This method ensures that we get all necessary information to block automated traffic from reaching your origin server. Meanwhile, all known bots, such as search engines, can still access your app.
ℹ️
Info
This policy group is available in the Pro and Enterprise plans. More details on the Security pricing page.
Configure Bot Attacks rules
Our WAAP includes pre-defined bot protection rules to protect your site from automated traffic. You can review and configure them in the CDB Technical Web Portal:
1. Navigate to WAAP > Bot Management.
2. In the domain dropdown at the top right of the page, select the needed domain.
3. The Bot Attacks tab displays all available bot protection rules.
ℹ️
Info
The Invalid user agent and Unknown user agent policies are set to Protection mode by default. Other policies are set to Disabled. To change a policy mode, click the dropdown near that policy.
Anti-spam
Challenge-identified submission spammers using CAPTCHA and JavaScript validation.
Traffic anomaly
Challenge or block requests when the user or device doesn't maintain cookies or execute JavaScript correctly. If this happens, users are presented with either CAPTCHA or JavaScript validation screen.
Automated clients
Challenge or block requests from automated sessions. Automated clients are usually bots looking to hack, spam, spy, or generally compromise your website. Activating this policy will detect these requests and force human interaction.
You can review a list of known bots and configure their mode within the Known Bots section. Learn more about enabling and troubleshooting bot protection in our dedicated guide.
Headless browsers
Challenge or block requests from users or devices that use automation tools to launch browsers. Headless browsers are sometimes used to perform DDoS attacks on websites, increase advertisement impressions, or automate websites in unintended ways. Activate this policy to protect your site from these attacks.
Anti-scraping
Challenge or block requests when a user or device uses an automation tool with rapid and aggressive scraping practices.
In certain cases, you may want to disable this policy. For example, if you have a travel website with aggregated data and want to allow partners to extract and display information on their own sites.
Vulnerability Scanner
Challenge or block requests from automated vulnerability scanners. Vulnerability scanners are security tools that systematically probe websites and applications to identify known weaknesses using techniques like port scanning, service enumeration, and vulnerability signature matching.
These tools are commonly used for legitimate security testing, but attackers may also use them to discover exploitable flaws.
Anti-automation and Bot Protection policies defend against non-human traffic by detecting and challenging or blocking requests from bots, scrapers, headless browsers, and vulnerability scanners. Two policies — Invalid user agent and Unknown user agent — are enabled by default; all others are disabled and can be enabled as needed.
ℹ️
An API token is required, along with the ID of a WAAP-protected domain and the Python or Go SDK installed for SDK examples. This policy group is available on the Pro and Enterprise WAAP plans.
Retrieve the current mode of all Anti-automation and Bot Protection policies for a domain.
import gcore
import os
client = gcore.CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["WAAP_DOMAIN_ID"])
rule_sets = client.waap.domains.list_rule_sets(domain_id)
aa_set = next(
rs for rs in rule_sets if rs.resource_slug == "anti-automation-bot-protection"
)
for policy in aa_set.rules:
status = "enabled" if policy.mode else "disabled"
print(f"{policy.name}: {status} ({policy.id})")
package main
import (
"context"
"fmt"
"os"
"strconv"
gcore "github.com/G-Core/gcore-go"
"github.com/G-Core/gcore-go/option"
)
func main() {
client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)
ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
for _, rs := range *ruleSets {
if rs.ResourceSlug == "anti-automation-bot-protection" {
for _, policy := range rs.Rules {
status := "disabled"
if policy.Mode {
status = "enabled"
}
fmt.Printf("%s: %s (%s)\n", policy.Name, status, policy.ID)
}
}
}
}
The response includes each policy in the group with its ID and current state. mode: true means enabled; mode: false means disabled.
Toggle a policy
Switch a policy between enabled and disabled. Each call flips the current mode. Use the policy ID returned by the View policy states request.
⚠️
This endpoint toggles the current state rather than setting a specific value. If the target state is unknown, check the current policy state first using the View policy states request.
import gcore
import os
client = gcore.CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["WAAP_DOMAIN_ID"])
# Find the policy ID by name
rule_sets = client.waap.domains.list_rule_sets(domain_id)
aa_set = next(
rs for rs in rule_sets if rs.resource_slug == "anti-automation-bot-protection"
)
policy = next(r for r in aa_set.rules if r.name == "Anti-spam")
result = client.waap.domains.policies.toggle(policy.id, domain_id=domain_id)
status = "enabled" if result.mode else "disabled"
print(f"Anti-spam is now {status}")
package main
import (
"context"
"fmt"
"os"
"strconv"
gcore "github.com/G-Core/gcore-go"
"github.com/G-Core/gcore-go/option"
"github.com/G-Core/gcore-go/waap"
)
func main() {
client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)
// Find the policy ID by name
ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
var policyID string
for _, rs := range *ruleSets {
if rs.ResourceSlug == "anti-automation-bot-protection" {
for _, p := range rs.Rules {
if p.Name == "Anti-spam" {
policyID = p.ID
}
}
}
}
result, _ := client.Waap.Domains.Policies.Toggle(context.Background(), policyID, waap.DomainPolicyToggleParams{DomainID: domainID})
status := "disabled"
if result.Mode {
status = "enabled"
}
fmt.Printf("Anti-spam is now %s\n", status)
}
# Set POLICY_ID to the policy ID from the Policy reference or View policy states response
export POLICY_ID="{POLICY_ID}"
curl -X PATCH "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/${WAAP_DOMAIN_ID}/policies/${POLICY_ID}/toggle" \
-H "Authorization: APIKey ${GCORE_API_KEY}"
Response:
{"mode": true}
The API returns the updated policy object. mode: true confirms the policy is now enabled; mode: false confirms disabled.