Bot Management

Bot Management enables you to mitigate undesired bot traffic from your site using CAPTCHA and JavaScript detection tools, while enabling known published bot providers to bypass these controls.

Non-human traffic makes up most of the traffic to sites. Bot Manager is designed to detect and block, or otherwise direct, non-human traffic that may interfere with site operations. The Bot Manager features mitigate bots that conduct content and price scraping, vulnerability scanning, comment spam, brute force attacks, and application-layer DDoS attacks. You can also whitelist good bots.


When you enable Bot Management, you incur a higher rate on requests to the WAF.

JavaScript Challenge

JavaScript Challenge validates that the client can accept JavaScript with a binary decision. JavaScript Challenge is generally the first level of bot mitigation, but not sufficient with more advanced bot tools, which require more advanced challenges. Additional functionality, like detecting Network Address Translation (NAT) traffic, can mitigate the risk of blocking legitimate user traffic from users behind a shared IP address.

The Action Threshold parameter defines the number of requests that fail the challenge before the action is taken. The requests that fail under this threshold are not logged. For example, if you set the JavaScript challenge action to Block and the Action Threshold to 10, and a client that doesn't accept JavaScript makes 11 requests within the Action Expire Time, the first 10 requests will be allowed through to origin (assuming there are no other rules) and logs will show one Block entry action taken for the JavaScript Challenge.

Human Interaction Challenge

Human Interaction Challenge is an advanced countermeasure that looks for natural human interactions such as mouse movements, time on site, and page scrolling to identify bots. When an EDGE server receives requests from a client, instead of instantly reporting with the requested content, the human interaction challenge checks various event listeners in the user's browser to determine if there is a human user making a request.

Device Fingerprint Challenge

The device fingerprint challenge generates hashed signatures of both virtual and real browsers to identify and block malicious bots.

CAPTCHA Challenge

If a specific URL should be accessed only by a human, you can control it with CAPTCHA protection. You can customize the comments for the CAPTCHA Challenge for each URL. Bots are kept from accessing protected web application functionality using CAPTCHA images designed to be out of reach of computer vision and OCR technologies.

Good Bot Whitelist

Good Bots provides the list of bots managed by known providers, such as Baidu or Google. You can allow the access from a specific good bot, or block the bot if they serve no business purpose. Allowed good bots from this section are whitelisted.

Whitelisted bots are flagged with a Bypass action in the WAF policy Logs. You can select the Bypass check box from the Action filter in Logs to search for the traffic allowed from these rules. Logged good bot events are categorized as a Threat Intelligence Leads log type, however, they are not a threat when the action taken is to Bypass.

The list of good bots on this menu are managed and continuously updated. Additional good bots can be added as a new access control rule in Access Control.

Using the Console

To configure JavaScript Challenge settings
To edit JavaScript Challenge settings
To configure Human Interaction Challenge settings
To edit Human Interaction Challenge settings
To configure Device Fingerprint Challenge settings
To edit Device Fingerprint Challenge settings
To add a CAPTCHA Challenge
To edit a CAPTCHA Challenge
To delete a CAPTCHA Challenge
To manage the Good Bot Whitelist
To publish changes
To discard changes

Using the CLI

You can use the CLI to enable rate limiting, device fingerprinting, and human interaction challenges.

To enable rate limiting
To enable device fingerprinting to detect
To enable the human interaction challenge to detect

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.