Overview
You can use this document to learn about the different WAF-related sanction screens that your visitors may see when they attempt to access your site. These screens will display based on the triggered rule.
For customers who have upgraded to the Professional or Enterprise package, custom sanction screens are available to be edited. See Custom Sanction Screens to learn more.
Types of Sanction Screens
Review the possible sanction screens that your visitors may see:
Screen type | Description |
Block screen |
The Block screen displays when your visitor has received a hard block. The screen displays a 403 response code, which will deny access to the visitor. |
Captcha screen |
The Captcha screen displays to ensure and test that a human visitor wants to access your site, and not an automated request. Your visitor will need to enter the displayed characters. |
Cross-site request forgery (CSRF) |
This CSRF screen displays when a CSRF attack is suspected. CSRF is an attack vector that tricks a web browser into executing an unwanted action in an application that a visitor is logged into. |
DDoS |
The DDoS screen displays when another service has white-labeled the StackPath WAF service. |
Enable JavaScript and Cookies |
The Enable JavaScript or Enable Cookies screen displays when a visitor has JavaScript or cookies disabled in their browser. The screen will suggest that the visitor enable these features. |
JavaScript Validation |
The JavaScript Validation screen displays to ensure and test that a human visitor wants to access your site, and not an automated request. Your visitor will not need to perform any action. The screen will display for less than a second. Additionally, This screen may also display when blocking automated traffic during application-layer DDoS attacks. |
Related Documentation
To learn about the security challenges that may cause your visitors to see a sanction screen, see Troubleshoot Blocked Users.