Book IndexHideShow
Back to topic

Cloud Application Security

Web Protection - Security Settings

Web Protection - Security Settings

Define granular access control policies for your website.

Note: Starting June 7, 2020 we are rolling out the new Policy Management feature. If your account was created after June 7, 2020, or your existing account has been migrated, the Block Specific Sources and Whitelist Specific Sources settings are now configured using policies. For details, see Create and Manage Policies.

In this topic:

Access the Security settings

  1. Log in to your account.
  2. On the sidebar, click Websites (default).
  3. Click a site name to access the site's dashboard.
  4. On the sidebar, click Settings.
  5. Click Security .

Set bot access control policy

Bot Access Control lets you define an access control policy for each client that accesses your website.

Imperva client classification

Imperva’s unique classification technology can tell whether your website visitors are humans or bots. Our client database holds an extensive list of bot classifications and can identify the specific type of bot visiting your website.

Each bot is marked either as a Good Bot or a Bad Bot. Bad Bots are those bots that pose a threat to your website security. For example, a vulnerability scanner or a DDoS attack bot. Googlebot (and all other search engine bots) is marked as a good bot and not blocked by the Bad Bots rule.

For the list of the clients and client type categories that Imperva addresses, see Client Classification.

For more details on Imperva's mitigation capabilities for automated threats, see Bot Mitigation.

Set the bot access control options

Option Description
All Good Bots (like Google and Pingdom) will be allowed to access your site

All good bots are allowed to access your website by default. You can customize the list of good bots from the Bot Access Control settings.

Note: Requests from good bots are also filtered by the WAF. This is because some legitimate services might be manipulated to send malicious requests to your website.

Click the Good Bots link to edit the Good Bots List. The Good Bots List displays a list of the bots that do not pose a threat to your website. By default, each of these bots is marked with a checkmark, which means that they are not blocked by default.

Note: To add additional good bots to the list, such as your own API client or mobile app, contact Imperva support.

Block Bad Bots (like comment spammers and scanners)

All bad bots are denied access to your website by default. You can customize the list of bad bots from the Bot Access Control settings. For example, you may want to whitelist a specific vulnerability scanner your organization subscribes to.

Click the Also block link to add to the Bad Bots List.

To add a bot to the list, start typing its name. A drop-down menu is displayed enabling you to select from Imperva’s predefined list of bad bots, as shown below:

Only bad bots that are in Imperva’s database can be added. If you would like to add an additional bot to this list, contact Imperva support.

Require all other suspected bots to pass additional challenges

If a bot cannot be classified by Imperva, it is considered a Suspected Bot. In many cases these bots are operated by legitimate service providers, and in some cases these are malicious bots.

You can configure Imperva to filter out any suspected bot by requiring the client to complete a CAPTCHA test or additional challenges. This will filter out bad bots, reduce unnecessary load from unwanted crawlers and services, and ensure that only legitimate visitors can access your website.

Exceptions See Define exceptions.

Select CAPTCHA provider

You can choose to use GeeTest CAPTCHA instead of the default reCAPTCHA.

Availability: For Advanced Bot Protection and Account Takeover Protection customers only.

By default, the GeeTest CAPTCHA is displayed in Chinese. To display the CAPTCHA in English, contact Imperva Support to request the change.

For GeeTest, select the difficulty level for the challenge that you want to present to visitors.

Auto GeeTest AI technology determines the appropriate difficulty level for the visitor.
Normal A challenge with a standard level of difficulty is presented to the visitor.
Hard A more difficult challenge is presented to the visitor.
Extra Hard The most difficult challenge is presented to the visitor.

Block specific sources (access control / ACL)

Block Countries Enables you to restrict traffic based on the geo-location of the visitor.
Block URLs Enables you to restrict traffic to specific resources / URLs.
Block IPs Enables you to restrict traffic based on the source IP of the visitor.

Define exceptions

To add an item to the Exceptions list for any of the security rules:

  1. Click Add exception, or Exceptions if there are already existing exceptions defined.

  2. In the Add exception rule on field, select the type of item to be added to the whitelist, such as URL, Client app ID, IP, or Country.

    For IP exceptions, single IPs, IP ranges, and subnets are supported. For example,,, or

  3. In the field to the right, fill in the value to exclude from the rule.
  4. Click Add.
  5. You can repeat the steps above to add additional rules.
  6. Click Confirm.

Note: An exception rule will match only if all match criteria are satisfied. If you want to add an exception for multiple and non-related scenarios, you can add multiple exception rules.

Whitelist specific IP sources

This option enables you to create a list of trusted IPs that are not inspected by Imperva's WAF and Security settings entirely. If you would like to whitelist an IP for a specific rule, it is recommended that you do that from the rule whitelist settings (see above) rather than adding a global whitelist rule.

Read More

Join the Discussion