Get Bot management tag via HTTP Headers of origin-pull requests

Function Overview

When the Bot management feature of EdgeOne is enabled, the platform will automatically append an HTTP request header EO-Bot-Tag to origin requests, containing the Bot label identification results of the requesting client, assisting the origin site in log analysis and security policy linkage.
Note:
After subscribing to Bot management, this feature will be enabled by default.

Application Scenarios

Enhanced Logging: Directly record Bot identification information into the origin site logs for subsequent analysis and tracing.
Risk Level Control: The origin site can dynamically adjust interception, rate limiting, and recording strategies based on tag content.
Attack Situation Recognition: Comprehensive Bot, fingerprint, and behavior labels assist the origin site in client profiling and threat assessment.

Request Header Description

Header Name

EO-Bot-Tag: If the original request already contains the EO-Bot-Tag header, EdgeOne will automatically overwrite it.

Transmission Format

Single JSON Object: The structure is uniformly a JSON object containing multiple key-value pair fields.

Tag Field Definition

Field Name
Type
Example
Description
bot type
string
"Unknown Bot", "Tool"
The type of crawler or tool recognized by the UA feature rules under the Bot Management module Basic Feature Management.
bot name
string
"GoogleBot", "cURL"
The name of the crawler or tool recognized by the UA feature rules under the Bot Management module Basic Feature Management.
botnetID
string (hash)
"f0cd7aee88e2b81bca1a063cd1154f02"
The hash of the detected Botnet fingerprint.
JA3 signature
string (hash)
"f436b9416f37d134cabc04886327d3e8" or ""
JA3 fingerprint (a hash fingerprint calculated based on TLS handshake behavior) (When the request is of HTTP protocol, the communication does not include the TLS protocol, and the JA3 fingerprint is an empty string).
applied action
string
"monitor" or "trans"
The action taken by EdgeOne’s Web Security feature on the request. Requests that do not hit any security rules will be marked as trans.
category
object
{"client_reputation":[{"type":"bot","credibility":"medium"}]} or {"idc":{"name": "pccw.com"}}
The crawler risk classification information recognized by the Client Reputation Analysis, IDC Rules, or Search Engine Rules features in the Bot Management module: 1. The parameter name is the feature name where the crawler risk information was identified. 2. The parameter value contains multiple fields: - type field: crawler risk classification - credibility field: risk assessment credibility
behavior
string
"evil_bot", "suspect_bot", "normal"
The crawler behavior risk label identified by the Bot Intelligent Analysis function in the Bot Management module.

Applied action Field Values

Value
Description
monitor
Observation mode, records but does not intervene
delay
Responds after a short delay
slow
Responds after a significant delay
allow
Directly allowed

Behavior Field Values

Value
Description
evil_bot
Malicious Bot
suspect_bot
Suspicious Bot
normal
Normal Traffic

Examples

Example 1: Common Bot Tool Request

EO-Bot-Tag: {
"bot type": "Tool",
"bot name": "cURL",
"botnetID": "d0b8e949bdd3475fec4cd41081577958",
"JA3 signature": "f436b9416f37d134cadd04886327d3e8",
"applied action": "monitor",
"category": {
"idc": {
"name": "pccw.com"
}
},
"behavior": "evil_bot"
}

Example 2: Suspicious Client Request

EO-Bot-Tag: {
"bot type": "Unknown Bot",
"botnetID": "f0cd7aee88e2b814ba1a063cd1154f02",
"JA3 signature": "",
"applied action": "monitor",
"category": {
"client_reputation": [
{
"type": "bot",
"credibility": "medium"
}
]
},
"behavior": "suspect_bot"
}

Notes

The EO-Bot-Tag header should only be added to requests where the Bot management feature is enabled.
The order of fields within the JSON object has no fixed requirements; the origin site should parse based on field names.
The category field may contain various sources (such as idc, client_reputation, etc.), and its internal structure may be nested arrays or objects.
The JA3 signature field will always exist, even if it has no value, its content will be an empty string.