Guides

Bot Detection and Blocking

Suggest Edits

EDS API integrations that are public facing must block bot traffic from generating EDS API requests. Customers should block bots on the front-end via their own web application firewall (WAF). If you do not have a WAF or other means to block bots, you may opt-in to having EBSCO block bots for you.

How to Opt-in

Customers who wish to have EBSCO block bots in their EDS API traffic must send four additional custom headers with every EDS API request.

  • x-eis-enduser-user-agent
  • x-eis-enduser-ip-address
  • x-eis-vendor
  • x-eis-vendor-version

See descriptions below for instructions regarding their values.

Request Headers

The four headers are grouped into two sets: end-user and vendor. The end-user headers will be used by our WAF in the detection and blocking of bots.

x-eis-enduser-user-agent

  • The value supplied should be the original user agent string as provided by the user-agent header on the incoming request to your front-end application.
  • Do not modify the user-agent that your application may already send to EDS API with this value.

x-eis-enduser-ip-address

  • The value supplied should be the originating external client IP belonging to the end-user as provided by the x-forwarded-for header received by your web application.
  • Your application framework may provide the client IP by other means without manually parsing x-forwarded-for. Be sure that the IP supplied here does not belong to another system in your network that is proxying incoming requests (e.g., a load balancer).

The following vendor headers will help us to determine success rate of various implementations at bot detection and blocking.

x-eis-vendor

  • The value supplied should be the name of the vendor and/or software library being used (e.g. VuFind). Do not send the name of the underlying HTTP client (e.g., Apache-HttpClient).
  • If your EDS API implementation is a custom-built solution unique to your organization, your organization name or the name you give your application is sufficient.

x-eis-vendor-version

  • Where applicable, supply the appropriate version (e.g., v4).

Frequently Asked Questions

My application implements robots.txt to block bots. Is this sufficient?

Unfortunately, no. While robots.txt is a great start, it is an honor system and leaves the decision up to the bot. More and more bots are ignoring robots.txt and crawling sites anyway.

Why is this data needed?

Due to the server-to-server nature of EDS API integrations, EBSCO’s web application firewall (WAF) is not provided sufficient data to distinguish bots from users in EDS API traffic. This is because, from EDS API’s perspective, all requests originate from your application which sits between the end-user and EDS API. By sending end-user information with your requests, EBSCO’s WAF can make informed decisions regarding bots accessing your application.

Do I have to send this data?

No. This is an optional service. However, those not sending this data to EDS API are expected to block bots from generating EDS API traffic.

What happens when a bot is detected?

Requests identified as bot traffic will receive an HTTP 406 response from our WAF.

Updated 7 days ago