# Anti-Bot

{% hint style="success" %}
This feature is available exclusively with an open-appsec Premium subscription.
{% endhint %}

open-appsec's **Web Bots** engine aims at recognizing if the origin of incoming traffic to the protected web application was a human or an automatic script (such as a bot), and to allow blocking non-human activity when set to **Prevent** mode.

## How to set up open-appsec Anti-Bot

#### Step 1: Locate the exact URLs used by the login/registration forms of your web application

The Anti-Bot protection injects scripts to the response when a user performs a "GET" request, and uses the output of the injected script to analyze the behavior upon the "POST" request of the login page, as the user fills the login/registration forms.

A security administrator protecting a web application, needs to request the owner of the web application's API, for the following:

* All **URIs** used to access login/registration pages (via the GET method).
* All **URIs** used to POST the login/registration request/form.

{% hint style="warning" %}
The required data is URIs and not URLs, meaning the relative path of the GET/POST requests (without the domain name).
{% endhint %}

Once both the security administrator has both lists, the next steps are performed in the administration web application for CloudGuard AppSec.

#### Step 2: Browse to Assets and edit the Web Application asset 

Once the asset edit window opens, select the "**Anti Bot**" tab and create a new "**Anti Bot**" practice.

<figure><img src="https://1225393248-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNcZmX14M2KdTBrq9EOnI%2Fuploads%2F1uze0TkbVlTKOgY1yLIY%2Fimage.png?alt=media&#x26;token=530bccc4-6b37-44d4-bd19-d22dd97306fa" alt=""><figcaption></figcaption></figure>

#### Step 3: Add the list of login/registration URIs to inject scripts and URIs to validate

Click on the '**+**' sign in each of the 2 URI tables and add:

* In the **Injected URIs** table - the login/registration "GET" URIs from step 1.
* In the **Validated URIs** table - the login/registration "POST" URIs from step 1.

#### Step 3: Make sure the Mode of the Web Bots sub-practice is as desired

Setting the Mode to **As Top Level** means inheriting the primary mode of the practice.

Otherwise you can override it only for this specific sub-practice to **Detect**/**Prevent**/**Disable**.

#### Step 4: Enforce Policy

Click **Enforce** above the top banner of the open-appsec portal.