# Anti-Bot Challenge Rules

### Overview

Anti-Bot rules allow you to **Detect, Challenge, or Prevent** traffic that matches specific criteria in order to mitigate automated abuse such as:

* Credential stuffing
* Brute-force attacks
* Account enumeration
* Bot Driven DDoS

#### Action Modes

* **Detect** – Logs matching traffic only.\
  \&#xNAN;*Recommended first step to validate impact before enforcement.*
* **Challenge (captcha)** – Requires the client to pass a browser challenge before access is granted.\
  Use to stop automation while allowing legitimate users.
* **Prevent** – Blocks matching requests.\
  Use after validation or during active attacks.

**Best practice:** Start with **Detect**, then move to **Challenge**

### How to Configure Anti Bot Rules

#### Add Rules

1. Navigate to **Anti-Bot Tab → Challenge Rules SubPractice → Add Rule**

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FZA74PCerf5v7oHSa6G8d%2Fimage.png?alt=media&#x26;token=c84f3474-58ce-40df-8ada-2f2f838146b7" alt=""><figcaption></figcaption></figure>

1. Select the desired **Action** (Detect, Challenge, or Prevent).
2. Enter the target **URI** (e.g., `/login`).
3. (Optional) Add **Additional Conditions** to narrow the scope.\
   You may choose one of the following:
   * Source Identifier
   * Source IP
   * URI
   * Country Code
   * Country Name
4. Save the rule.

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FTTYC9GRMLGGT3vk1rR7N%2Fimage.png?alt=media&#x26;token=0fb270f3-42b9-4acc-bd01-0021e0d964c4" alt="" width="507"><figcaption></figcaption></figure>

#### Add a Captcha Challenge&#x20;

1. Navigate to the "Behaviors" Tab and create a new captcha object

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FSUutmE2EoqM0K70pAHJa%2Fimage.png?alt=media&#x26;token=f55f4b0d-bca2-4de5-954c-c31e6fbfcf88" alt="" width="375"><figcaption></figcaption></figure>

2. Configure the Captcha object that will be used when a rule triggers a challenge:

   * **Name**: Enter a friendly name for the Captcha object, or keep the default.
   * **Captcha Type**: Select the challenge mechanism. *(Currently set by default to **Proof of Work**.)*
   * **TTL**: The time-to-live (in minutes) for the successful challenge. During this period, the user will not be required to complete a new challenge.
   * **Message Title (optional)**: The title shown on the challenge HTML page presented to the end user.
   * **Message Body (optional)**: The text displayed on the challenge HTML page presented to the end user.

   <figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FaVSYytcGu7vctq1FGMkc%2Fimage.png?alt=media&#x26;token=ea7bb2b4-dc93-450a-b055-9a092f648915" alt="" width="320"><figcaption></figcaption></figure>

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FoCJLObJ2THssuGgtzzY7%2Fimage.png?alt=media&#x26;token=1776bea1-62fc-45b8-8e9d-c058415ac741" alt="" width="563"><figcaption><p>Example of a page challenge page displayed to the user</p></figcaption></figure>

3. Connect the Captcha object to the practice:

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FjsooPXUNBNvCB0uGXtpW%2Fimage.png?alt=media&#x26;token=c5926c00-a419-4403-9d21-f9b8cce59118" alt="" width="305"><figcaption></figcaption></figure>

2. Enforce policy