search close

X-SigSci-* Request Headers

access_time Updated Mar 27, 2023

Starting with:

  • Agent > 1.8.386
  • NGINX Module > 1.0.0+343
  • Apache Module > 207

X-SigSci- headers are added in the incoming request. The end user (your customers) can not see them. However you internal application can use these headers for various integrations.

Note your module may alter the case (e.g., X-SigSci-AgentResponse vs. X-Sigsci-Agentresponse) that what is listed here.


The agent will return 200 if the request should be allowed, and 406 if the request is blocked.


A request ID used for uniquely identifying this request. May not be present in all requests.


A CSV list of signals associated with this request, for example:

  • SQLI
  • TOR

This list includes custom signals added by rules. See system signals for a full list of default system signals.

Note that IMPOSTOR should not be used at the moment as an indicator of malicious intent. Anything that appears to be a mainstream search engine is tagged with this and the exact identification is done upstream. Improvements in how this is done will be forthcoming.