X-SigSci-* request headers

X-SigSci- headers are added to incoming requests. The end user (your customers) can't see them. However, your internal application can use these headers for various integrations.


If you are using the module-agent deployment method, your deployment module may alter the case of header names (e.g., X-SigSci-AgentResponse may appear as X-Sigsci-Agentresponse).

The following are X-SigSci- headers:

  • X-SigSci-AgentResponse: a code that indicates the Next-Gen WAF agent's decision to allow or block a request to your web application. The 200 agent response code indicates the request should be allowed, and agent response codes greater than or equal to 301 indicate the request should be blocked. For more information, check out our About agent response codes guide.

  • X-SigSci-RequestID: a request ID used to uniquely identify a request. Not all requests will be assigned an ID.

  • X-SigSci-Tags: a CSV string of comma-separated signals that are associated with a request. The header includes both system and custom signals (e.g., SQLI, XSS, NOUA, TOR, SITE.CUSTOM-SIGNAL).


    Do not use the IMPOSTOR signal as an indicator of malicious intent. Anything that appears to be a mainstream search engine is tagged with this signal and the exact identification is done upstream.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.