The section Bot protection → Visitors of the dashboard Qrator Labs defines the categories of users for whom traffic processing rules are applied for bot protection purposes.

The settings in this section allow you to:

• enable or disable bot protection,
• configure forced checks by IP address,
• configure exceptions by request headers, by country and by IP addresses,
• configure partial activation of the service with an A/B testing setup for verifications.

Enable bot protectionEnable bot protection

1. Select the desired domain under Domains or the desired service under Services.

2. Select the menu item Bot protection → Visitors.

3. Tick off the Enabled option.

4. To save the changes, click Save in the notification at the bottom of the screen.

   The changes will be applied within 5–7 minutes.

Disable bot protectionDisable bot protection

1. Select the desired domain under Domains or the desired service under Services.

2. Select the menu item Bot protection → Visitors.

3. Unset the Enabled option.

4. To save the changes, click Save in the notification at the bottom of the screen.

   The bot protection will be disabled within 5–7 minutes.

Configure forced checks by IP addressConfigure forced checks by IP address

This setting allows you to specify a list of IP addresses from which requests will always be matched against the rules, regardless of the setting A/B checks distribution. This is useful for testing protection rules from a limited number of devices before fully enabling them for all users. For more information, see description of the recommended procedure for enabling the service in the article Connection: Bot Protection.

1. Select the desired domain under Domains or the desired service under Services.

2. Select the menu item Bot protection → Visitors.

3. Under Force checks For IPs, click Edit.

4. In the dialog that appears, enter the list of IP addresses for which mandatory checks must be enabled. Separate IP addresses with line breaks.

5. Click the Save button.

6. To save the changes, click Save in the notification at the bottom of the screen.

   The changes will be applied within 5–7 minutes.

Exclude users from checks by request headersExclude users from checks by request headers

If this setting is configured, the system will consider all requests with certain HTTP header name-value combinations legitimate.

1. Select the desired domain under Domains or the desired service under Services.

2. Select the menu item Bot protection → Visitors.

3. In the section Exclude by headers add the new exception or select the exception to be changed.

   • To add a new exception, click Add exception.
   • To change an existing exception, click the icon next to it.

4. In the dialog that appear, describe the condition upon which the user will be considered legitimate. In order to do that, add header name, value verification method and the string to be used for verification.

   Fill out the following fields:

   • Header name — name of the header to check.

   • Verification method:

     • Contains — the value of the header must contain the string in the text field.
     • Ends with — the value of the header must end with the string in the text field.
     • Equal — the value of the header must be equal to the string in the text field.
     • Starts with — the value of the header must start with the string in the text field.

     When selecting the verification method, an additional popup window appears with a checkbox labeled One of. Check this checkbox to specify several possible values at once with which the component from the request will be compared. Leave the checkbox unchecked and press the Esc key to specify only one value.

   • Value used for verification.

     If the checkbox One of was checked, you can input several values in the text field, separated by line breaks.

     Warning

     Do not add as exceptions header values that bot creators can find in the documentation or other public sources. It is recommended to use generated random strings known only to your team.

5. Click Save.

6. To save the changes, click Save in the notification at the bottom of the screen.

   The changes will be applied within 5–7 minutes.

Delete exception by headerDelete exception by header

1. Select the desired domain under Domains or the desired service under Services.

2. Select the menu item Bot protection → Visitors.

3. Under Exclude by headers click next to the exception to be deleted.

4. Confirm the action by clicking Delete in the dialog that appears.

5. To save the changes, click Save in the notification at the bottom of the screen.

   The changes will be applied within 5–7 minutes.

Configure Exclude countriesConfigure Exclude countries

If this setting is configured, the bot protection will consider all requests from certain countries legitimate. The source country of the request is determined by the IP address using the [MaxMind GeoIP] database (https://www.maxmind.com/en/geoip2-services-and-databases).

1. Select the desired domain in the Domains section or the service in the Services section.

2. Select the menu item Bot protection → Visitors.

3. In the Exclude countries section, edit the list of countries. The countries in the list are represented by codes according to [ISO 3166] standard (https://en.wikipedia.org/wiki/ISO_3166), for example, the code FR is used for France.

   • To add a country to the list, click its code in the dropdown list. To search for the desired country, type one or both of the letters of its code in the text field.
   • To delete a country from the list, click the X mark next to its code.

4. To save the changes, click Save in the notification at the bottom of the screen.

The changes will be applied within 5–7 minutes.

Configure IP and subnet exceptionsConfigure IP and subnet exceptions

If this setting is configured, the bot protection will consider all requests from certain IP addresses legitimate. For example, this way you can allow automated tools from the networks of your company or its partners.

1. Select the desired domain in the Domains section or the service in the Services section.

2. Select the menu item Bot protection → Visitors.

3. In the Exclude IPs & Networks section, click the Edit link.

4. In the dialog that appears, enter the list of IP addresses and subnets in CIDR notation, separating them with line breaks.

5. Click the Save button.

6. To save the changes, click Save in the notification at the bottom of the screen.

   The changes will be applied within 5–7 minutes.

Configure A/B checks distributionConfigure A/B checks distribution

This setting determines for which percentage of users the bot protection is activated. This is useful for step-by-step activation of the bot protection service, see the corresponding step in the connection instructions.

To change the A/B checks distribution:

1. Select the desired domain in the Domains section or the service in the Services section.

2. Select the menu item Bot protection → Visitors.

3. In the section A/B checks distribution, move the slider to the desired value from 0% to 100%.

4. To save the changes, click Save in the notification at the bottom of the screen.

   The changes will be applied within 5–7 minutes.

Configuration exampleConfiguration example

In this example, bot protection will be applied:

• to requests from 20% of visitors,
• to requests from IP addresses 203.0.113.61, 203.0.113.62, 203.0.113.63.

The following shall be deemed legitimate requests that do not require verification:

• requests with one of the three specified cookie values Test Secret,
• requests from IP addresses from Japan and Pakistan,
• requests from IP addresses from subnets 198.51.100.0/24, 233.252.0.0/24.