All Products
Search

This Product

    Edge Security Acceleration:Quick start for Bots

    Document Center

    Edge Security Acceleration:Quick start for Bots

    Last Updated:Dec 11, 2025

    ESA provides two modes, Smart Mode and Professional Mode, to meet the security protection requirements of different business scenarios.

    Note

    Requests blocked by bot rules are not charged and do not consume package quotas.

    Use Smart Mode

    Simple Mode is a bot and crawler management feature for entry-level users. It is available for all subscription plans, but some features may be subject to plan restrictions. Unlike Advanced Mode, which requires professional expertise to configure complex rules, Simple Mode categorizes traffic into three types by default. You can manage bots by selecting an action for each category.

    Configure global policies

    1. In the ESA console, select Websites. In the Website column, click the target site.

    2. In the navigation pane on the left, choose Security Protection > Bots.

    3. On the Bots page, select Smart Mode, configure the items as described below, and then click Configure.

      • Definite Bots: This category includes many malicious crawlers. Set the action to Block or Slider CAPTCHA.

      • Likely Bots: These requests have a lower risk than Definite Bots but may contain malicious crawlers and other traffic. Set the action to Monitor, or to Slider CAPTCHA during high-risk periods.

      • Verified Bots: This category usually includes crawlers from search engines that support your website's search engine optimization (SEO). Set the action to Allow. If you do not want any search engine crawlers to access your site, you can set the action to Block.

    Configure bots detection for static resource requests

    If you are on an Enterprise plan, you can configure protection for static resources against malicious bots.

    Important

    If you enable static resource protection, normal bots that periodically obtain static resources, such as email clients, may be blocked. Enable this feature with caution.

    Enable JavaScript detection

    If you are on an Enterprise plan, you can use lightweight and invisible JavaScript detection to collect browser fingerprints and improve bot detection results.

    Use Professional Mode

    You can configure protection rulesets for specific requests to your site and set a separate effective period for each protection action. Advanced Mode also protects mobile applications and lets you apply rulesets to other sites in your account. To configure a bot ruleset, follow these steps:

    1. In the ESA console, select Websites. In the Website column, click the target site.

    2. In the navigation pane on the left, choose Security > Bots.

    3. On the Bots page, select Professional Mode, and click Create Ruleset.

    4. Enter a Rule Set Name. Set Service Type to Browsers, and set SDK Integration to Automatic Integration (Recommended).

    5. In the If requests match... section, configure a rule expression to match the requests that you want to filter. For example, to apply bot protection to requests from the Chinese mainland, configure the expression as: (ip.geoip.country in {"CN"}). For more information about the supported fields, see available rule matching fields for Bots.image

    6. Select the protection actions to add.

      • For search engine bots:

        • Whitelists: Allow specific search engine bots that you trust.

        • Fake Crawler Interception: This feature blocks all search engine bots. You can use it with Legitimate Bot Management to allow only specific search engine bots.

      • For known bot libraries:

        • Bot Threat Intelligence Library: This is an IP address library of attack sources for malicious bots that are identified by Alibaba Cloud. You can enable Slider CAPTCHA to counter them.

        • IDC Blacklist Blocking: If your clients do not connect from public clouds or IDC data centers, you can use Data Center Blacklist to directly block requests from these sources.

      • For requests that need to be identified:

        • Identify bots through request characteristics: This feature identifies non-browser bots by comparing their access features with those of real user browsers.

        • Identify bots through request behavior: ESA analyzes traffic from clients, automatically trains a machine learning model, and generates protection rules or blacklists. You can then configure countermeasures based on the generated rules and blacklists.

        • Custom throttling: If you want to allow some bot requests but prevent them from accessing your site too frequently, you can limit the request rate from a specific IP address or session. A protection action is applied to requests that exceed a specified threshold.

    7. In the Effective Time area, click Edit next to the relevant rule, set the effective period, and then click OK.

    8. After you complete the configuration, click OK.