Web Bot Detection

最終更新日:2024-08-26 15:05:35

Web Bot Detection is a seamless verification policy that enhances bot recognition and adversarial capabilities in web browser scenarios through a JavaScript based Web SDK. It is suitable for web/H5 pages (including those loaded online through built-in browsers in apps and applets).

After enabling this feature, the cloud security platform will automatically reference the JS SDK in all HTML pages. The JS SDK will collect three types of information:

  • Browser basic information: browser language, screen resolution, time zone, etc.
  • Environmental risk information: Check if automated tools such as Webdriver are used on the browser side.
  • User interaction behavior events: keyboard, mouse, touch screen events. The JS SDK only collects information unrelated to personal privacy and does not collect specific input content.

The JS SDK embedded by the cloud security platform during the response phase are as follows:

JS Cache Duration
/_fec_sbu/hxk_fec_[version].js 30 days

The cookies carried by the cloud security platform during the request phase are as follows:

Cookie Effective Duration Applicable Protocol Secure HttpOnly
FECW 10 years HTTPS ×
FECN 10 years HTTP × ×
FECA Session HTTPS ×
FECG Session HTTP × ×

In addition, the cloud security platform will also add the following URL tokens for asynchronous interface requests under this site:

Name Example
FECU http://www.example.com/test.html?id=1&FECU=[value]

Configuration Instruction

  • Browser Feature Verification: Basic functionality, does not support individual disable. When Client-based Detection is enabled and the action of Web Bot Detection is not “Not Used”, continuously verify whether the client has Cookie and JavaScript features. When the action of Web Bot Detection is “Block”, the actual action of this policy will be adaptive. For general GET requests, if the cloud security platform finds that the verification has not passed, it will adaptively initiate “Bot Managed Challenge”. Requests that can pass the verification will be released without being directly block.
  • Automated Tool Detection: After enabling, continuously check the client environment to verify whether the request was initiated by a known automated tool (including Webdriver, PhantomJS, etc.). For abnormal requests, they will be handled according to the configured action.
  • Cracking Behavior Detection: After enabling, continuously monitor whether the browser is attempting to crack the core code of JS SDK. For abnormal requests, they will be handled according to the configured action.
  • Page Anti Debugging: After enabling, the JS SDK will continuously monitor whether the browser side has opened debugging tools and interfere with debugging behavior.
  • Interaction Behavior Verification: After enabling, continuously detect the user interaction behavior of the page. For requests that do not meet the minimum number of business interactions, they will be processed according to the configured processing actions. The interaction behavior includes the number of interactions between the keyboard, mouse, and touch screen, and does not involve specific sensitive user information.
    • Verify Path: The URI that needs to verify the interaction behavior. e.g. /test?id=1.
    • Minimum Number of Interactions: The minimum value of the sum of keyboard button event count, mouse click event count, and touch screen movement event count on the current page before the request is sent.
    • Matching method: The default is to fully match the verification URI, and when selected, the verification URI is matched with a regular expression.

Attention:

  • When configuring Interaction Behavior Validation, it is recommended that each rule only verifies one URI. If using Regex Match, sufficient verification is required to avoid matching unexpected URI.
  • When filling out the “HTML Pages without Embedding JS”, the POST and asynchronous interface requests initiated on the page must be added to the “Bypass Traffic from Specific Clients”, otherwise it will not be verified through Browser Feature Verification. Normally, it is not recommended to fill it out. It is recommended to confirm with your technical support expert before filling out.