Get Bot management tag via HTTP Headers of origin-pull requests

Function Overview
When the Bot management feature of EdgeOne is enabled, the platform will automatically append an HTTP request header EO-Bot-Tag to origin requests, containing the Bot label identification results of the requesting client, assisting the origin site in log analysis and security policy linkage.
Note:
After subscribing to Bot management, this feature will be enabled by default.
Application Scenarios
Enhanced Logging: Directly record Bot identification information into the origin site logs for subsequent analysis and tracing.
Risk Level Control: The origin site can dynamically adjust interception, rate limiting, and recording strategies based on tag content.
Attack Situation Recognition: Comprehensive Bot, fingerprint, and behavior labels assist the origin site in client profiling and threat assessment.
Request Header Description
Header Name
EO-Bot-Tag: If the original request already contains the EO-Bot-Tag header, EdgeOne will automatically overwrite it.
Transmission Format
Single JSON Object: The structure is uniformly a JSON object containing multiple key-value pair fields.
Tag Field Definition
Field Name
Type
Example
Description
bot type
string
"Unknown Bot", "Tool"
The type of crawler or tool recognized by the UA feature rules under the Bot Management module Basic Feature Management.
bot name
string
"GoogleBot", "cURL"
The name of the crawler or tool recognized by the UA feature rules under the Bot Management module Basic Feature Management.
botnetID
string (hash)
"f0cd7aee88e2b81bca1a063cd1154f02"
The hash of the detected Botnet fingerprint.
JA3 signature
string (hash)
"f436b9416f37d134cabc04886327d3e8" or ""
JA3 fingerprint (a hash fingerprint calculated based on TLS handshake behavior) (When the request is of HTTP protocol, the communication does not include the TLS protocol, and the JA3 fingerprint is an empty string).
applied action
string
"monitor" or "trans"
The action taken by EdgeOne’s Web Security feature on the request. Requests that do not hit any security rules will be marked as trans.
category
object
{"client_reputation":[{"type":"bot","credibility":"medium"}]} or {"idc":{"name": "pccw.com"}}
The crawler risk classification information recognized by the Client Reputation Analysis, IDC Rules, or Search Engine Rules features in the Bot Management module: 1. The parameter name is the feature name where the crawler risk information was identified. 2. The parameter value contains multiple fields: - type field: crawler risk classification - credibility field: risk assessment credibility
behavior
string
"evil_bot", "suspect_bot", "normal"
The crawler behavior risk label identified by the Bot Intelligent Analysis function in the Bot Management module.
Applied action Field Values
Value
Description
monitor
Observation mode, records but does not intervene
delay
Responds after a short delay
slow
Responds after a significant delay
allow
Directly allowed
Behavior Field Values
Value
Description
evil_bot
Malicious Bot
suspect_bot
Suspicious Bot
normal
Normal Traffic
Examples
Example 1: Common Bot Tool Request
EO-Bot-Tag: {
  "bot type": "Tool",
  "bot name": "cURL",
  "botnetID": "d0b8e949bdd3475fec4cd41081577958",
  "JA3 signature": "f436b9416f37d134cadd04886327d3e8",
  "applied action": "monitor",
  "category": {
    "idc": {
      "name": "pccw.com"
    }
  },
  "behavior": "evil_bot"
}
Example 2: Suspicious Client Request
EO-Bot-Tag: {
  "bot type": "Unknown Bot",
  "botnetID": "f0cd7aee88e2b814ba1a063cd1154f02",
  "JA3 signature": "",
  "applied action": "monitor",
  "category": {
    "client_reputation": [
      {
        "type": "bot",
        "credibility": "medium"
      }
    ]
  },
  "behavior": "suspect_bot"
}
Notes
The EO-Bot-Tag header should only be added to requests where the Bot management feature is enabled.
The order of fields within the JSON object has no fixed requirements; the origin site should parse based on field names.
The category field may contain various sources (such as idc, client_reputation, etc.), and its internal structure may be nested arrays or objects.
The JA3 signature field will always exist, even if it has no value, its content will be an empty string.
﻿

Field Name	Type	Example	Description
bot type	string	"Unknown Bot", "Tool"	The type of crawler or tool recognized by the UA feature rules under the Bot Management module Basic Feature Management.
bot name	string	"GoogleBot", "cURL"	The name of the crawler or tool recognized by the UA feature rules under the Bot Management module Basic Feature Management.
botnetID	string (hash)	"f0cd7aee88e2b81bca1a063cd1154f02"	The hash of the detected Botnet fingerprint.
JA3 signature	string (hash)	"f436b9416f37d134cabc04886327d3e8" or ""	JA3 fingerprint (a hash fingerprint calculated based on TLS handshake behavior) (When the request is of HTTP protocol, the communication does not include the TLS protocol, and the JA3 fingerprint is an empty string).
applied action	string	"monitor" or "trans"	The action taken by EdgeOne’s Web Security feature on the request. Requests that do not hit any security rules will be marked as trans.
category	object	{"client_reputation":[{"type":"bot","credibility":"medium"}]} or {"idc":{"name": "pccw.com"}}	The crawler risk classification information recognized by the Client Reputation Analysis, IDC Rules, or Search Engine Rules features in the Bot Management module: 1. The parameter name is the feature name where the crawler risk information was identified. 2. The parameter value contains multiple fields: - type field: crawler risk classification - credibility field: risk assessment credibility
behavior	string	`"evil_bot"`, `"suspect_bot"`, `"normal"`	The crawler behavior risk label identified by the Bot Intelligent Analysis function in the Bot Management module.

Value	Description
monitor	Observation mode, records but does not intervene
delay	Responds after a short delay
slow	Responds after a significant delay
allow	Directly allowed

Value	Description
evil_bot	Malicious Bot
suspect_bot	Suspicious Bot
normal	Normal Traffic