Personal dashboard: Bot protection β†’ Signatures

Note

In the default configuration, this section of the personal dashboard is available only to users in the Administrative and Technical groups. Editing the settings is available only to users in the Technical group.

In the section Bot protection β†’ Signatures of the personal dashboard Qrator Labs you can manage signatures designed to verify requests from mobile applications to the API. The operation scheme of such protection is described in the section Mobile API protection using hash.

View the list of signatures

To view the list of signatures configured for a domain or service:

  1. Select the desired domain in the Domains section or the service in the Services section.

  2. Select the menu item Bot protection β†’ Signatures.

The signatures are displayed in a table with the following columns:

  • Status β€” signature status:

    • β€” the signature is enabled, requests with this signature are allowed.
    • β€” the signature is disabled, requests with this signature are prohibited.
  • Comment β€” short description of the signature.

  • Revoked versions β€” outdated versions of the mobile application, requests from which are prohibited.

Enable signature verification

To allow requests from users providing a signature instead of a tracking cookie:

  1. Select the desired domain in the Domains section or the service in the Services section.

  2. Select the menu item Bot protection β†’ Signatures.

  3. At the top of the page, activate the Enabled option.

  4. To save the changes, click Save in the notification at the bottom of the screen.

    The changes will be applied within 5–7 minutes.

Disable signature verification

To prohibit requests from users providing a signature instead of a tracking cookie:

  1. Select the desired domain in the Domains section or the service in the Services section.

  2. Select the menu item Bot protection β†’ Signatures.

  3. At the top of the page, deactivate the Enabled option.

  4. To save the changes, click Save in the notification at the bottom of the screen.

    The changes will be applied within 5–7 minutes.

Add a signature

  1. Select the desired domain in the Domains section or the service in the Services section.

  2. Select the menu item Bot protection β†’ Signatures.

  3. Click the button Add signature.

  4. In the dialog that opens, fill in the fields:

    • Enable β€” if this option is disabled, requests with this signature will be prohibited.

    • Application version signature key settings:

      • App version header β€” the title of the header in which the mobile application must transmit data about its version.

      • Secret key β€” the key that is used to calculate the value of the salt.

      • Salt method β€” salt value calculation method:

        • md5_lowercase β€” MD5 hash represented as a lowercase string.
        • md5_uppercase β€” MD5 hash represented as an uppercase string.

        In both cases, the hash is calculated from the string formed by concatenating the Private key and the value of the Version header.

      • Revoked versions β€” prohibited values of the Version header.

        You can specify up to 200 revoked versions. A request with any of these versions will be considered unsigned, and its processing will be done according to the standard locations-based algorithm.

    • Signature mechanism settings:

      • Hash Header β€” the name of the header in which the mobile application must transmit the signature of the request.

      • Value method β€” the method of forming the string from which the hash is calculated.

        • salt_schema_host_uri_timestamp β€” hash from a string including salt, full URI and timestamp.
        • salt_schema_host_path_timestamp β€” hash from a string including salt, URI without the GET query string, and a timestamp.

        Additional values can be added to the string, see the field Additional headers below.

      • Hash method β€” signature calculation method:

        • md5_lowercase β€” MD5 hash, represented as a lowercase string.
        • md5_uppercase β€” MD5 hash, represented as an uppercase string.
      • Additional headers β€” the names of the headers whose values will be added to the string from which the hash will be calculated.

        The values will be added in the order specified in this field.

    • Settings of the signature validity time interval:

      • Timestamp header β€” the name of the header in which the mobile application must transmit the time the request was sent.

      • Timestamp format β€” the field that affects the time transmission format and the way it is checked:

        • unix_msec β€” the header must contain the request sending timestamp in milliseconds.
        • unix_sec β€” the header must contain the request sending timestamp in seconds.
        • any β€” the timestamp format is not checked.

        When unix_msec and unix_sec formats are selected, the reverse HTTP proxy checks the received timestamp with the current time. If they differ by more than the specified Interval in seconds, the request will be considered unsigned, and its processing will be done according to the standard locations-based algorithm.

      • Timestamp drift β€” the acceptable difference between the received timestamp and the current time, see the description of the field Time format. The field is not displayed if the time format any is selected.

    • Comment (optional) β€” a short description of the signature.

  5. Click the Add button.

  6. To save the changes, click Save in the notification at the bottom of the screen.

    The changes will be applied within 5–7 minutes.

    Warning

    Adding signatures to the list does not automatically enable signature verification for site visitors. See Enable signature verification.

Edit signature

  1. Select the desired domain in the Domains section or the service in the Services section.

  2. Select the menu item Bot protection β†’ Signatures.

  3. Find the desired signature and click next to it.

  4. In the dialog that opens, edit the required fields.

    The fields of the signature editing form are identical to the fields of the signature addition form.

  5. Click the Save button.

  6. To save the changes, click Save in the notification at the bottom of the screen.

    The changes will be applied within 5–7 minutes.

Enable specific signatures

To enable one or more signatures and allow requests that use signatures:

  1. Select the desired domain in the Domains section or the service in the Services section.

  2. Select the menu item Bot protection β†’ Signatures.

  3. Check off the boxes next to the necessary signatures. Click the Enable button.

  4. To save the changes, click Save in the notification at the bottom of the screen.

    The changes will be applied within 5–7 minutes.

    Warning

    Enabling signatures in the list does not automatically enable signature verification for site visitors. See Enable signature verification.

Disable specific signatures

To disable one or more signatures and prohibit requests that use them:

  1. Select the desired domain in the Domains section or the service in the Services section.

  2. Select the menu item Bot protection β†’ Signatures.

  3. Check off the boxes next to the necessary signatures. Click the button Disable.

  4. To save the changes, click Save in the notification at the bottom of the screen.

    The changes will be applied within 5–7 minutes.

Delete one signature

  1. Select the desired domain in the Domains section or the service in the Services section.

  2. Select the menu item Bot protection β†’ Signatures.

  3. Find the desired signature and click next to it.

  4. To save the changes, click Save in the notification at the bottom of the screen.

    The changes will be applied within 5–7 minutes.

Delete multiple signatures

  1. Select the desired domain in the Domains section or the service in the Services section.

  2. Select the menu item Boot protection β†’ Signatures.

  3. Check off the boxes next to the necessary signatures. Click the Delete button.

  4. To save the changes, click Save in the notification at the bottom of the screen.

    The changes will be applied within 5–7 minutes.

expand_less