All Products
Search
Document Center

API Gateway:bot-detect

Last Updated:Jun 22, 2026

The bot-detect plug-in identifies and blocks web crawlers from accessing your websites.

Plug-in type

Security protection.

Fields

Field

Data type

Required

Default value

Description

allow

array of string

No

-

Regular expressions to match the User-Agent header. Matched requests are allowed.

deny

array of string

No

-

Regular expressions to match the User-Agent header. Matched requests are blocked.

blocked_code

number

No

403

The HTTP status code returned when a request is blocked.

blocked_message

string

No

-

The HTTP response body returned when a request is blocked.

Note

If neither the allow nor the deny field is configured, the default crawler identification logic is used. Use allow to exempt requests that match the default crawler rules, and deny to add custom crawler identification rules.

Examples

Allow requests that hit the default crawler identification logic

allow:
- ".*Go-http-client.*"

Without this configuration, requests from the Golang HTTP library are identified as crawlers and blocked.

Add crawler identification logic

deny:
- "spd-tools.*"

The following requests are blocked by this rule:

curl http://example.com -H 'User-Agent: spd-tools/1.1'
curl http://exmaple.com -H 'User-Agent: spd-tools'

Enable security protection rules for specific routes or domain names

Save the route-a and route-b routes with empty configuration data.

Apply the following plug-in configuration to the *.example.com and test.com domain names:

  allow:
  - ".*Go-http-client.*"
Note
  • route-a and route-b are routes specified when you create gateway routes. If a client request matches one of these routes, the built-in default rules are used to identify web crawlers.

  • *.example.com and test.com match domain names in requests. If a client request matches one of these domain names, the corresponding rules take effect.

  • Rules take effect in sequence. Once a rule is matched, subsequent rules are skipped.