StackPath's WAF allows for Tag Based custom rules to sanction requests based on specific tags provided by StackPath. Tag Based rules can be defined via the Portal UI or through an API call.
For more information on how to create a Tag Based rule, please see our Understanding Tag Based Rules article.
Below is a full list of the available Tags, API Slugs and their descriptions.
|Abnormal Dynamic Requests
|This session is making a high number of requests, based on the site's average number of requests.
|Abnormal Request Volume
|The traffic from this client is relatively high for this domain.
|Abnormal Traffic Volume
|The traffic from this IP is relatively high for this domain.
|This malicious client was detected by Abuse.ch
|The number of ajax requests in this session is much higher compared to other sessions on this domain.
|This IP's provisioned traffic has several requests from an unidentified client.
|This fingerprint belongs to an anonymizer service.
|This client attempted to exploit an Apache Struts vulnerability.
|Authentic User Agent
|The user agent reported by the client is valid.
|This client made identical, automated requests to the site's resources.
|Automated Dynamic Requests
|This client made automated requests to the site's dynamic pages.
|This client uses an unidentified headless browser.
|This malicious client was detected by BlockList.de.
|This IP is part of a botnet network.
|Browser Based Bot
|This session attempts to refresh the same page continuously to check for any changes.
|Brute Force Attempt
|This client attempted to forcefully enter a web application's login page.
|Captcha Farm Bot Fingerprint
|This client's fingerprint failed the captcha challenge multiple times.
|Captcha Farm Bot Usertag
|This usertag's client failed the captcha challenge multiple times.
|Captcha Validation Failed
|The captcha challenge was completed by a captcha farm, and as a result, the user is not legitimate.
|This range belongs to a content delivery network company.
|There are multiple clients behind this IP that perform requests simultaneously.
|This client scans web applications to find specific content management system administration or vulnerable pages.
|This client attempted to inject own code into the web application.
|Common Web Application
|This client attempted to exploit a common web application vulnerability.
|This client has been confirmed of being automated, based on the client's behavior and the inability to pass WAF sanction screens.
|This IP scrapped the content of this site.
|Cross Site Request Forgery
|This client attempted an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
|Cross Site Scripting
|This client attempted Cross-Site Scripting injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code.
|This IP was part of multiple DDOS attacks on this domain.
|This client uses a document object model automation tool to make requests to this site.
|This client is the admin of this Drupal site.
|Dynamic Page Scraper
|The number of dynamic requests in this session is much higher compared to other sessions on this domain.
|Exceptionally High Request Volume
|This session made a high number of requests, and as a result, was blocked.
|This client has been identified with a user agent that is not compatible with browser properties.
|This client installed the Glove extension.
|This client uses a web browser without a graphical user interface.
|Headless Browser Fingerprint
|This client has a fingerprint of a headless browser.
|This IP belongs to a web hosting company.
|This client has been identified as being automated, based on the client's behavior.
|Multiple injection attempts were detected.
|Multiple injection attempts were detected.
|Intensive Traffic from Fingerprint
|There is prolonged traffic coming from this fingerprint.
|Invalid Captcha Validator
|The client has completed the captcha challenge automatically.
|This client presented invalid StackPath cookies.
|This client's fingerprint is not valid.
|Invalid User Agents
|This client has an invalid user agent, a request header string that lets servers and network peers identify the application, operating system, vendor, and/or version of the client.
|This client is switching IPs.
|This client is the admin of this Joomla site.
|This client installed the Katalon extension.
|This client is a known bot.
|Local File Inclusion
|This client attempted tricking the web application into including local files with malicious code.
|This client is the admin for this Magento site.
|This client violates robots.txt directives.
|This client makes requests at a steady rate.
|This client is the admin of this Modex site.
|This client uses a device with a mouse.
|MOZ Automation Extension
|This client installed a suspicious extension.
|Multiple Captcha Validation Fails
|This client failed the captcha challenge multiple times.
|Multiple Client Errors
|This client received multiple, consecutive 4XX errors.
|Multiple Concurrent Clients
|multiple stable sessions are coming from this IP
|Multiple Consecutive Challenges
|This client did not complete challenges for its multiple consecutive sessions.
|A session that attempts to map a web application's directory structure.
|Multiple Failed Challenges
|This session failed challenges multiple times.
|Multiple Fake User Agent Sessions
|This IP had multiple sessions with a user agent that did not match the actual client type.
|Multiple Forbidden Ajax Requests
|This IP was forbidden in multiple, consecutive ajax requests.
|Multiple Forbidden Requests
|This IP was denied access in multiple requests.
|Multiple Large Sessions
|Multiple clients behind this IP have a high number of requests.
|Multiple No Event Sessions
|This client had multiple sessions with no UI events.
|Multiple Refreshed Pages
|This client refreshed the same URL multiple times consecutively.
|Multiple Repeated Violations
|This client repeatedly failed to complete challenges, and as a result, was confirmed to be automated.
|No Browser Ajax Calls
|This client made requests to ajax URLs without a browser.
|No Plugins Fingerprint
|This client's fingerprint indicates that the client browser does not have a plugin installed.
|No UI Events
|This client did not create UI events.
|Non Scriptable Client
|Not Unique Fingerprint
|There is a high probability that this fingerprint represents multiple clients.
|An Open Redirect attack has been detected. An Open Redirect attacks happen when an attacker manipulates URL queries to redirect users offsite.
|Personal Identifiable Information
|An exposure of personally identifiable information was detected.
|This client uses Phantomjs, a scripted, headless browser used for automating web page interaction.
|The PimCore cookie for logged-in admin users was detected.
|Prolonged Ajax Traffic
|The ajax requests from this IP continued for a long time.
|Prolonged API Traffic
|The API requests from this IP continued for a long time.
|Prolonged Dynamic Traffic
|The dynamic requests from this IP continued for a long time.
|Prolonged Not Injected Traffic
|The requests from this IP continued for a long time.
|A Protocol Attack was detected.
|This IP is part of the anonymizer proxy network.
|This client made multiple fast requests in one or multiple sessions.
|Remote File Inclusion
|This client attempted tricking the web application into including remote files with malicious code.
|Request Maker Extension
|This client installed the Request Maker extension.
|A client that scans web applications.
|This client uses Selenium, a portable software-testing framework for web applications.
|This client installed the Selenium extension.
|Sensitive Data Exposure
|An exposure of sensitive data was detected.
|Session via Multiple Countries
|This client changed their country of origin multiple times in this session.
|This client does not maintain a session.
|A shell (command) injection attack was detected.
|This client attempted a ShellShock vulnerability, which in Bash allows remote code execution without confirmation.
|This client installed the Sidexx extension.
|This client attempts to map a web application's directory structure.
|SP Honeypot Scanner
|This IP was detected scanning random servers.
|This IP's client uses automation to generate multiple POST events that are suspected of being spam.
|This client made multiple consecutive POST requests with no referrer header.
|This malicious client was detected by Spamhaus.
|This client attempted insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data, etc.
|The number of static requests in this session is much higher compared to other sessions on this domain.
|Stop Forum Spam
|This malicious client was detected by Stop Forum Spam.
|This traffic is suspected of being automated, based on the traffic's behavior.
|Suspected Automation Fingerprint
|This fingerprint belongs to a suspicious client.
|Suspected Automation User Tag
|This user tag belongs to a suspicious client.
|Suspected Proxy Network
|This IP is suspected of being part of a proxy network.
|Suspicious Local IP
|This session is making a high number of web page requests.
|The number of suspicious requests in this session is much higher compared to other sessions on this domain.
|Thousand Eyes Extension
|This client installed the Thousand Eyes extension.
|This client is part of a TOR anonymizer network.
|This client uses a touch device.
|UI Events Detected
|This client created UI events.
|UI Events Pause
|This client stopped creating UI events.
|There is a high probability that this fingerprint represents a single client.
|Unverified Anonymized Fingerprint
|This fingerprint is suspected of being part of a VPN / proxy network.
|Verified Headless Browser
|This client has been verified as a headless browser.
|Visit Multiple Domains
|This client has visited a high number of StackPath domains.
|This IP is part of a VPN network service.
|A client that scans web applications for vulnerabilities.
|An attempt to access a vulnerable resource was detected.
|This client attempted to upload a web shell. A shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyber attacks.
|This client is controlled by automated tools.
|This client is the admin of this WordPress site.
|WordPress Admin Detection
|A WordPress admin dashboard was detected.
|This client attempted to exploit a vulnerability related to the WordPress CMS.
|XML External Entity
|An XML external entity attack was detected. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, and other system impacts.