Get Bot management tag via HTTP Headers of origin-pull requests
Function Overview
When the Bot management feature of EdgeOne is enabled, the platform will automatically append an HTTP request header
EO-Bot-Tag
to origin requests, containing the Bot label identification results of the requesting client, assisting the origin site in log analysis and security policy linkage.Note:
After subscribing to Bot management, this feature will be enabled by default.
Application Scenarios
Enhanced Logging: Directly record Bot identification information into the origin site logs for subsequent analysis and tracing.
Risk Level Control: The origin site can dynamically adjust interception, rate limiting, and recording strategies based on tag content.
Attack Situation Recognition: Comprehensive Bot, fingerprint, and behavior labels assist the origin site in client profiling and threat assessment.
Request Header Description
Header Name
EO-Bot-Tag: If the original request already contains the
EO-Bot-Tag
header, EdgeOne will automatically overwrite it.Transmission Format
Single JSON Object: The structure is uniformly a JSON object containing multiple key-value pair fields.
Tag Field Definition
Field Name | Type | Example | Description |
bot type | string | "Unknown Bot", "Tool" | The type of crawler or tool recognized by the UA feature rules under the Bot Management module Basic Feature Management. |
bot name | string | "GoogleBot", "cURL" | The name of the crawler or tool recognized by the UA feature rules under the Bot Management module Basic Feature Management. |
botnetID | string (hash) | "f0cd7aee88e2b81bca1a063cd1154f02" | The hash of the detected Botnet fingerprint. |
JA3 signature | string (hash) | "f436b9416f37d134cabc04886327d3e8" or "" | JA3 fingerprint (a hash fingerprint calculated based on TLS handshake behavior) (When the request is of HTTP protocol, the communication does not include the TLS protocol, and the JA3 fingerprint is an empty string). |
applied action | string | "monitor" or "trans" | The action taken by EdgeOne’s Web Security feature on the request. Requests that do not hit any security rules will be marked as trans. |
category | object | {"client_reputation":[{"type":"bot","credibility":"medium"}]} or {"idc":{"name": "pccw.com"}} | The crawler risk classification information recognized by the Client Reputation Analysis, IDC Rules, or Search Engine Rules features in the Bot Management module: 1. The parameter name is the feature name where the crawler risk information was identified. 2. The parameter value contains multiple fields: - type field: crawler risk classification - credibility field: risk assessment credibility |
behavior | string | "evil_bot" , "suspect_bot" , "normal" | The crawler behavior risk label identified by the Bot Intelligent Analysis function in the Bot Management module. |
Applied action Field Values
Value | Description |
monitor | Observation mode, records but does not intervene |
delay | Responds after a short delay |
slow | Responds after a significant delay |
allow | Directly allowed |
Behavior Field Values
Value | Description |
evil_bot | Malicious Bot |
suspect_bot | Suspicious Bot |
normal | Normal Traffic |
Examples
Example 1: Common Bot Tool Request
EO-Bot-Tag: {"bot type": "Tool","bot name": "cURL","botnetID": "d0b8e949bdd3475fec4cd41081577958","JA3 signature": "f436b9416f37d134cadd04886327d3e8","applied action": "monitor","category": {"idc": {"name": "pccw.com"}},"behavior": "evil_bot"}
Example 2: Suspicious Client Request
EO-Bot-Tag: {"bot type": "Unknown Bot","botnetID": "f0cd7aee88e2b814ba1a063cd1154f02","JA3 signature": "","applied action": "monitor","category": {"client_reputation": [{"type": "bot","credibility": "medium"}]},"behavior": "suspect_bot"}
Notes
The
EO-Bot-Tag
header should only be added to requests where the Bot management feature is enabled.The order of fields within the JSON object has no fixed requirements; the origin site should parse based on field names.
The
category
field may contain various sources (such as idc
, client_reputation
, etc.), and its internal structure may be nested arrays or objects.The
JA3 signature
field will always exist, even if it has no value, its content will be an empty string.