Overview
StackPath's WAF allows for Tag Based custom rules to sanction requests based on specific tags provided by StackPath. Tag Based rules can be defined via the Portal UI or through an API call.
For more information on how to create a Tag Based rule, please see our Understanding Tag Based Rules article.
Below is a full list of the available Tags, API Slugs and their descriptions.
| Tag Name | API Slug | Description |
| Abnormal Dynamic Requests | abnormaldynamicrequests | This session is making a high number of requests, based on the site's average number of requests. |
| Abnormal Request Volume | abnormalrequestvolume | The traffic from this client is relatively high for this domain. |
| Abnormal Traffic Volume | abnormaltrafficvolume | The traffic from this IP is relatively high for this domain. |
| Abuse.ch | abusech | This malicious client was detected by Abuse.ch |
| Ajax Scraper | ajaxscraper | The number of ajax requests in this session is much higher compared to other sessions on this domain. |
| Anonymized Traffic | anonymizedtraffic | This IP's provisioned traffic has several requests from an unidentified client. |
| Anonymizer Fingerprint | anonymizedfp | This fingerprint belongs to an anonymizer service. |
| Apache Struts | aps | This client attempted to exploit an Apache Struts vulnerability. |
| Authentic User Agent | authenticuseragent | The user agent reported by the client is valid. |
| Automated Client | automatedclient | This client made identical, automated requests to the site's resources. |
| Automated Dynamic Requests | automateddynamicrequests | This client made automated requests to the site's dynamic pages. |
| Automation Driver | automationdriver | This client uses an unidentified headless browser. |
| BlockList.de | blocklistde | This malicious client was detected by BlockList.de. |
| Botnet Client | botnetclient | This IP is part of a botnet network. |
| Browser Based Bot | browserbasedbot | This session attempts to refresh the same page continuously to check for any changes. |
| Brute Force Attempt | bruteforceattempt | This client attempted to forcefully enter a web application's login page. |
| Captcha Farm Bot Fingerprint | captchafarmbotfp | This client's fingerprint failed the captcha challenge multiple times. |
| Captcha Farm Bot Usertag | captchafarmbotut | This usertag's client failed the captcha challenge multiple times. |
| Captcha Validation Failed | captchavalidationfailed | The captcha challenge was completed by a captcha farm, and as a result, the user is not legitimate. |
| CDN | cdn | This range belongs to a content delivery network company. |
| Client Flood | clientflood | There are multiple clients behind this IP that perform requests simultaneously. |
| CMS Scanner | cmsscanner | This client scans web applications to find specific content management system administration or vulnerable pages. |
| Code Injection | cij | This client attempted to inject own code into the web application. |
| Common Web Application | cfg | This client attempted to exploit a common web application vulnerability. |
| Confirmed Automation | confirmedautomation | This client has been confirmed of being automated, based on the client's behavior and the inability to pass WAF sanction screens. |
| Content Scraper | contentscraper | This IP scrapped the content of this site. |
| Cross Site Request Forgery | csrf | This client attempted an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. |
| Cross Site Scripting | xss | This client attempted Cross-Site Scripting injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code. |
| DDOS Client | ddosclient | This IP was part of multiple DDOS attacks on this domain. |
| DOM Automation | domautomation | This client uses a document object model automation tool to make requests to this site. |
| Drupal Admin | drupaladmin | This client is the admin of this Drupal site. |
| Dynamic Page Scraper | injectedscraper | The number of dynamic requests in this session is much higher compared to other sessions on this domain. |
| Evasive Client | evasiveclient | This client failed to return a JavaScript fingerprint. |
| Evasive Traffic | evasivetraffic | This IP had multiple sessions that failed to return a JavaScript fingerprint. |
| Exceptionally High Request Volume | exceptionallyhighrequestvolume | This session made a high number of requests, and as a result, was blocked. |
| Fake User-Agent | fakeuseragent | This client has been identified with a user agent that is not compatible with browser properties. |
| Glove Extension | gloveextension | This client installed the Glove extension. |
| Headless Browser | headlessbrowser | This client uses a web browser without a graphical user interface. |
| Headless Browser Fingerprint | headlessbrowserfp | This client has a fingerprint of a headless browser. |
| Hosting Services | hostingservices | This IP belongs to a web hosting company. |
| Identified Automation | identifiedautomation | This client has been identified as being automated, based on the client's behavior. |
| Injection Attack | injectionattack | Multiple injection attempts were detected. |
| Injection Attempt | injectionattempt | Multiple injection attempts were detected. |
| Intensive Traffic from Fingerprint | intensivetrafficfromfp | There is prolonged traffic coming from this fingerprint. |
| Invalid Captcha Validator | invalidcaptchavalidator | The client has completed the captcha challenge automatically. |
| Invalid Cookie | invalidcookie | This client presented invalid StackPath cookies. |
| Invalid Fingerprint | invalidfp | This client's fingerprint is not valid. |
| Invalid User Agents | uag | This client has an invalid user agent, a request header string that lets servers and network peers identify the application, operating system, vendor, and/or version of the client. |
| IP Swapper | ipswapper | This client is switching IPs. |
| Joomla Admin | joomlaadmin | This client is the admin of this Joomla site. |
| Katalon Extension | katalonextension | This client installed the Katalon extension. |
| Known Bot | knownbot | This client is a known bot. |
| Local File Inclusion | lfi | This client attempted tricking the web application into including local files with malicious code. |
| Magento Admin | magentoadmin | This client is the admin for this Magento site. |
| Malicious Crawler | maliciouscrawler | This client violates robots.txt directives. |
| Mechanical Requests | mechanicalrequests | This client makes requests at a steady rate. |
| Modx Admin | modxadmin | This client is the admin of this Modex site. |
| Mouse Device | mousedevice | This client uses a device with a mouse. |
| MOZ Automation Extension | mozautomationextension | This client installed a suspicious extension. |
| Multiple Captcha Validation Fails | multiplecaptchavalidationfails | This client failed the captcha challenge multiple times. |
| Multiple Client Errors | multipleclienterrors | This client received multiple, consecutive 4XX errors. |
| Multiple Concurrent Clients | multipleconcurrentclients | multiple stable sessions are coming from this IP |
| Multiple Consecutive Challenges | multipleconsecutivechallenges | This client did not complete challenges for its multiple consecutive sessions. |
| Multiple Errors | multipleerrors | A session that attempts to map a web application's directory structure. |
| Multiple Failed Challenges | multiplefailedchallenges | This session failed challenges multiple times. |
| Multiple Fake User Agent Sessions | multiplefakeuasessions | This IP had multiple sessions with a user agent that did not match the actual client type. |
| Multiple Forbidden Ajax Requests | multipleforbiddenajaxrequests | This IP was forbidden in multiple, consecutive ajax requests. |
| Multiple Forbidden Requests | multipleforbiddenrequests | This IP was denied access in multiple requests. |
| Multiple Large Sessions | multiplelargesessions | Multiple clients behind this IP have a high number of requests. |
| Multiple No Event Sessions | multiplenoeventsessions | This client had multiple sessions with no UI events. |
| Multiple Refreshed Pages | multiplerefreshedpages | This client refreshed the same URL multiple times consecutively. |
| Multiple Repeated Violations | multiplerepeatedviolations | This client repeatedly failed to complete challenges, and as a result, was confirmed to be automated. |
| No Browser Ajax Calls | nobrowserajaxcalls | This client made requests to ajax URLs without a browser. |
| No Plugins Fingerprint | nopluginsfp | This client's fingerprint indicates that the client browser does not have a plugin installed. |
| No UI Events | nouievents | This client did not create UI events. |
| Non Scriptable Client | nonscriptableclient | This client does not have a JavaScript engine. |
| Not Unique Fingerprint | fpnotunique | There is a high probability that this fingerprint represents multiple clients. |
| Open Redirect | ord | An Open Redirect attack has been detected. An Open Redirect attacks happen when an attacker manipulates URL queries to redirect users offsite. |
| Personal Identifiable Information | pii | An exposure of personally identifiable information was detected. |
| Phantomjs | phantomjs | This client uses Phantomjs, a scripted, headless browser used for automating web page interaction. |
| PimCore Admin | pimcoreadmin | The PimCore cookie for logged-in admin users was detected. |
| Prolonged Ajax Traffic | prolongedajaxtraffic | The ajax requests from this IP continued for a long time. |
| Prolonged API Traffic | prolongedapitraffic | The API requests from this IP continued for a long time. |
| Prolonged Dynamic Traffic | prolongedinjectedtraffic | The dynamic requests from this IP continued for a long time. |
| Prolonged Not Injected Traffic | prolongednotinjectedtraffic | The requests from this IP continued for a long time. |
| Protocol Attack | rhi | A Protocol Attack was detected. |
| Proxy Network | proxynetwork | This IP is part of the anonymizer proxy network. |
| Rapid Requests | rapidbehaviour | This client made multiple fast requests in one or multiple sessions. |
| Remote File Inclusion | rfi | This client attempted tricking the web application into including remote files with malicious code. |
| Request Maker Extension | requestmakerextension | This client installed the Request Maker extension. |
| Scanner | scanner | A client that scans web applications. |
| Selenium | selenium | This client uses Selenium, a portable software-testing framework for web applications. |
| Selenium Extension | seleniumextension | This client installed the Selenium extension. |
| Sensitive Data Exposure | sde | An exposure of sensitive data was detected. |
| Session via Multiple Countries | multiplecountries | This client changed their country of origin multiple times in this session. |
| Sessionless Client | sessionlessclient | This client does not maintain a session. |
| Shell Injection | shi | A shell (command) injection attack was detected. |
| ShellShock Attack | shs | This client attempted a ShellShock vulnerability, which in Bash allows remote code execution without confirmation. |
| Sideex Extension | sideexextension | This client installed the Sidexx extension. |
| Site Mapper | sitemapper | This client attempts to map a web application's directory structure. |
| SP Honeypot Scanner | baitscanner | This IP was detected scanning random servers. |
| Spam Bot | spambot | This IP's client uses automation to generate multiple POST events that are suspected of being spam. |
| Spam Client | spamclient | This client made multiple consecutive POST requests with no referrer header. |
| Spamhaus | spamhaus | This malicious client was detected by Spamhaus. |
| SQL Injection | sql | This client attempted insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data, etc. |
| Static Scraper | staticscraper | The number of static requests in this session is much higher compared to other sessions on this domain. |
| Stop Forum Spam | stopforumspam | This malicious client was detected by Stop Forum Spam. |
| Suspected Automation | suspectedautomation | This traffic is suspected of being automated, based on the traffic's behavior. |
| Suspected Automation Fingerprint | suspiciousfp | This fingerprint belongs to a suspicious client. |
| Suspected Automation User Tag | suspiciousut | This user tag belongs to a suspicious client. |
| Suspected Proxy Network | suspectedproxynetwork | This IP is suspected of being part of a proxy network. |
| Suspicious Local IP | suspiciouslocalip | This session is making a high number of web page requests. |
| Suspicious Scraper | notinjectedscraper | The number of suspicious requests in this session is much higher compared to other sessions on this domain. |
| Thousand Eyes Extension | thousandeyesextension | This client installed the Thousand Eyes extension. |
| TOR Network | tor | This client is part of a TOR anonymizer network. |
| Touch Device | touchdevice | This client uses a touch device. |
| UI Events Detected | uieventdetected | This client created UI events. |
| UI Events Pause | uieventspause | This client stopped creating UI events. |
| Unique Fingerprint | fpunique | There is a high probability that this fingerprint represents a single client. |
| Unverified Anonymized Fingerprint | unverifiedanonymizedfp | This fingerprint is suspected of being part of a VPN / proxy network. |
| Verified Headless Browser | verifiedheadlessbrowser | This client has been verified as a headless browser. |
| Visit Multiple Domains | visitmultipledomains | This client has visited a high number of StackPath domains. |
| VPN Network | vpnnetwork | This IP is part of a VPN network service. |
| Vulnerability Scanner | vulnerabilityscanner | A client that scans web applications for vulnerabilities. |
| Vulnerable Resource | vuln | An attempt to access a vulnerable resource was detected. |
| Web Shell | wbs | This client attempted to upload a web shell. A shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyber attacks. |
| Webdriver | webdriver | This client is controlled by automated tools. |
| Wordpress Admin | wordpressadmin | This client is the admin of this WordPress site. |
| WordPress Admin Detection | wad | A WordPress admin dashboard was detected. |
| WordPress Vulnerability | wps | This client attempted to exploit a vulnerability related to the WordPress CMS. |
| XML External Entity | xxe | An XML external entity attack was detected. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, and other system impacts. |