--- header: Bot Management lang: en last_updated: '2026-03-31' url: https://docs.fastly.com/products/bot-management --- Fastly's [Bot Management](https://www.fastly.com/documentation/guides/security/bot-management/) product provides you with visibility into bot traffic, allowing you to identify bots and respond to automated traffic with the nuance your business and security posture requires. Using the knowledge you gain from this detection, you can enforce rulesets and policies to control bots in both the delivery (before cache) or the Next-Gen WAF (after cache) as part of your web asset and application protection measures. Because not all bots are malicious, Bot Management offers controls that can help you decrease unwanted bot activity by allowing you to customize your interactions and automatically decide which bots to allow in your ecosystem. ## ContentGuard ContentGuard provides bot detection and mitigation at the network edge, protecting your traffic before bots can access content in either Fastly cache or your origin. This feature leverages the bot detection engine to perform inspection at the network edge and is the first line of defense against automated threats. It helps you detect bots that scrape content and may attempt to steal valuable proprietary data like dynamic pricing, real-time inventory, or copyrighted material. The following Bot Management product features are available with ContentGuard: - Client fingerprinting - Verified bots - Block or allow requests based on detection attributes via VCL ## Client fingerprinting Client fingerprinting incorporates [JA3](https://github.com/salesforce/ja3) and [JA4](https://github.com/FoxIO-LLC/ja4) fingerprinting and allows you to identify client types as long as that information is available as part of the TLS encrypted communication between a specific client and its server. This feature can help you detect bots designed for malicious activities such as credential stuffing, credential cracking, or IP rotation attacks. ## Client challenges [Client challenges](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/using-client-challenges) allow you to require users to prove that they are human or that a connection is happening via a full-fledged browser. For each service, you choose whether these challenges are dynamic, interactive, or non-interactive: - Dynamic challenges allow Fastly to automatically choose the most appropriate client challenge based on the situation, including Private Access Tokens (PATs), non-interactive challenges, and interactive challenges if suspicious activity is detected during the initial check. - Interactive challenges use configurable CAPTCHA-like challenge-response tests that human users must respond to. - Non-interactive challenges use JavaScript Proof-of-Work (PoW) to test that the browser supports JavaScript. To identify when challenges have been initiated and solved, cookies are issued from the customer domain in which the challenges are issued. Specifically: - the `_fs_ch_st_` challenge start cookie signals the initiation of the challenge and helps mitigate trivial replay of challenge flows by your service - the `_fs_ch_cp_` challenge complete cookie signals the completion of the challenge and communicates to your service that access to a resource should be permitted ## Advanced client-side detections [Advanced client-side detections](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/using-advanced-client-side-detections) allow you to detect bots that leverage headless browsers such as headless Chrome. This feature requires you to modify the HTML code of your website to include a JavaScript snippet. To identify that a browser has run the JavaScript, the `_fs_cd_cp_` cookie is issued from the customer domain. ## Verified bots Verified bots allow you to add a Next-Gen WAF signal to the logic of your active configuration rules that will help validate self-identified bots and thereby allow or block them as appropriate as requests arrive to the web applications you're protecting. Organizations wishing to have their bots included in one of the Verified Bot [categories](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/signals/using-system-signals#bots) can submit details about the bot using our [submission form](https://community.fastly.com/t/about-the-verified-bots-category/2864). Use your business email address to set up your account on [community.fastly.com](https://community.fastly.com/) to aid verification. Submissions will be reviewed by Fastly and considered for inclusion in the product. ## Private Access Tokens > **IMPORTANT:** This information is part of a limited availability release. For additional details, read our [product and feature lifecycle](https://docs.fastly.com/products/fastly-product-lifecycle#limited-availability) descriptions. The Private Access Token (PAT) verification service allows you to protect access to resources on your origin. When an end user requests information from an origin that Fastly protects, the PATs service specifically requires the requestor to prove that they are human and verify their identity, but does so without directly revealing personal information about the requester or requiring them to solve puzzle-based challenges. It does this based on the settings you specify in your Bot Management implementation and then responds to requests by issuing a validation token granting access or blocking access to those protected resources as appropriate. ## Prerequisites To purchase Bot Management, you must have a [paid account](https://www.fastly.com/documentation/guides/account-info/billing/account-types#paid-accounts) with a contract for Fastly's services and must purchase a Fastly delivery product. For those who are interested in our [Security Subscription packages](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability), Bot Management is available in all feature tiers except the Essentials platform. ## Limitations and considerations The following features require Next-Gen WAF to function and can only be done post-cache. They are not available within ContentGuard: - Client challenges - Advanced client-side detections Keep in mind the following limitations and considerations for client challenges: - The client challenges feature must be [enabled for each individual service](https://www.fastly.com/documentation/guides/security/bot-management/client-challenges/about-client-challenges/#getting-started-with-client-challenges) using your service ID via an API call. - Client challenges are issued to fully-qualified domain names (FQDN). If your service includes subdomains that shouldn't receive challenges (e.g., api.example.com), be sure to restrict the challenge to the desired subdomains when creating the request rule that adds the challenge. - Exceptions to client challenges can be used to allow some bots access to your site. These exceptions must be explicitly included in any rule that would otherwise exclude them. In addition, keep in mind the following limitations and considerations specific to PATs: - PATs usage is measured based on the number of token redemptions that occur. One token redemption is equal to one request, which affects your billing as described below. - PATs challenges can only be issued to Apple-supported devices using iOS 16 or higher or macOS Ventura or higher. - Apple-supported devices are limited to 10 tokens per minute, per device, and only 10 tokens per every 5 minutes are allowed for a single origin server or website. Only 1 token per minute is allowed for a single TLS connection to a server. ## Billing > **NOTE:** Billing limits for this product may be different depending on your [account type](https://www.fastly.com/documentation/guides/account-info/billing/account-types/), if you've purchased a [packaged offering](https://www.fastly.com/package-entitlements/), or are using a [product or feature trial](https://www.fastly.com/documentation/guides/account-info/billing/about-the-products-page). Fastly charges for Bot Management based on the volume of requests (per millions) processed per month. These charges are separate from and do not include charges associated with the Fastly Full Site Delivery service nor with usage of the Fastly Next-Gen WAF. > **WARNING:** Enabling ContentGuard may increase your Bot Management bill due to the additional requests processed. > **NOTE:** For more details about this product, including [pricing information](https://www.fastly.com/pricing) and help with purchasing it, contact your account manager or email [sales@fastly.com](mailto:sales@fastly.com).