Bot Management


This information is part of a limited availability release. For additional details, read our product and feature lifecycle descriptions.

Fastly's Bot Management product provides you with visibility into bot traffic, allowing you to identify bots and automations directly at Fastly's network edge, closer to where requests arrive and further away from your application layer. Using the knowledge you gain from this detection, you can enforce rulesets and policies in the Bot Management console as part of your web asset and application protection measures. Because not all bots are malicious, Bot Management offers controls that can help you decrease unwanted bot activity by allowing you to customize your interactions and automatically decide which bots are safe to interact with in your ecosystem.

Client fingerprinting

As a limited availability feature, client fingerprinting incorporates JA3 fingerprinting and allows you to identify client types as long as that information is available as part of the TLS encrypted communication between a specific client and its server. This feature can help you detect bots designed for malicious activities such as credential stuffing, credential cracking, or IP rotation attacks.

Client challenges

As a limited availability feature, client challenges allow you to require users to prove that they are human or that a connection is happening via a full-fledged browser. For each service, you choose whether these challenges are interactive or non-interactive. Interactive challenges use configurable CAPTCHA-like challenge-response tests that human users must respond to. Non-interactive challenges get sent automatically to each client as JavaScript code embedded in a web page.

Verified bots


This information is part of a beta release. For additional details, read our product and feature lifecycle descriptions.

This beta availability feature allows you to add a Next-Gen WAF signal to the logic of your active configuration rules that will help validate self-identified bots and thereby allow or block them as appropriate as requests arrive to the web applications you're protecting. This beta feature is available to Professional and Premier plan customers. For additional details on how to explore this beta feature, contact your account manager or


To purchase Bot Management, you must purchase Fastly's Next-Gen WAF at the Professional or Premier level for deployment on Fastly's Edge Cloud platform. This requires a paid account with a contract for Fastly's services.

Limitations and considerations

Keep in mind the following limitations and considerations:

  • When using the client challenges feature, you must choose between either interactive or non-interactive challenges for each service. Both cannot be active on a single service at the same time.
  • Using client challenges for multiple host names requires custom VCL. If, for example, a service includes both and as hosts, client challenges will not behave as expected.
  • Any client challenge exceptions required to exclude bots you want to access your site must be included in your custom VCL.


Fastly charges for Bot Management based on the volume of requests processed per month. These charges are separate from and do not include charges associated with the Fastly Full Site Delivery service nor with usage of the Fastly Next-Gen WAF.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.