Detection Tag - Event Mitigation Mode
Event Mitigation mode (previously named
Active mode) provides visibility into interactive events on your web
application and mitigates any traffic that is automated or invalid. This integration type focuses exclusively on
events occurring after the page load (e.g. account creation, authentication, commenting or liking, checking out, etc.)
but does not monitor page views.
This integration type requires a backend, server-to-server call to the Mitigation API in order to retrieve a real-time decision that you can use to log or take action on bot interactions.
This guide describes how to set up the Detection Tag in
Event Mitigation mode for static websites. This means that
the web pages are rendered on the server side, and there is no dynamic rendering of pages or navigation between them.
The assumption is that every time a user clicks a link to another page of your website or submits a form, it does a full
page reload before proceeding to the next page.
If you have a Single Page Application where pages are rendering dynamically on the front-end and navigation between pages does not fully reload the page, then please view Event Mitigation Mode Setup Instructions for Single Page Applications.
To fully implement
Event Mitigation mode, the Mitigation API Integration must also be
ci: Customer ID
dt: Tag ID
mo: Tag mode. Value is always
2for Event Mitigation mode
pd: Product key, always
accfor BotGuard for Applications
ap: App ID
ck: Cookie ID
dv: Device ID
si: Site ID
ui: User ID
c1 - c10: Custom fields
r1 - r10: Reporting fields
For detailed information on the full set of Detection Tag fields, refer to the Detection Tag Field Index.
&ap=com.example.Example <!-- in app only -->
&dv=c3f927f4-3ef9-4b53-8887-d794c4daea82 <!-- in app only -->
Hidden Field Injection
When the user submits a protected form, the Detection Tag injects the following three hidden input fields into the form:
<input type="hidden" name="OZ_TC" value="..."/>
<input type="hidden" name="OZ_DT" value="..."/>
<input type="hidden" name="OZ_SG" value="..."/>
The hidden input field values need to be forwarded to the Mitigation API according to the following field mapping:
OZ_TC -> session
OZ_DT -> datatoken
OZ_SG -> payload
The script should execute at page load time. If the protected element performs a postback (whether it causes a page reload or not) the script must be loaded before the postback takes place to protect the form submission.
We have purposely omitted the
async attribute from the script tags to ensure that the tag loads as early as possible.
This enables the tag to capture more signals from the browser environment, improving bot detection efficacy.
2KB ~ 4KB in size followed by the main payload that is
~40KB. Postbacks are made
one to a few times, and are generally a few hundred bytes each.