DataDome provides nine response types:

🚧

Response usage

Allow, Timeboxing, and Rate Limiting responses can only be used for Verified Bots-associated rules and custom rules.

  • Allow
    When the AI rule or the custom rule response is set to Allow, the traffic to which the rule applies is allowed on your endpoint.

  • Timeboxing
    By setting an AI or custom rule to Timeboxing, you can fine-tune the responses applied to the traffic reaching your endpoints based on a specified time. This response enables you to select a time period (specific hours on specific days of the week) during which the traffic should be allowed, and select a CAPTCHA or block response for the remaining traffic not matching the specified time period.

Timeboxing can be applied to all good and commercial bot traffic and to custom rules.

  • Rate Limiting
    By setting an AI or custom rule to Rate Limiting, you can fine-tune the responses applied to the traffic reaching your endpoints based on the number of requests received during a specified period of time. This response enables you to define a volume threshold (by providing the value of the number of requests during a time period of either one hour or one day) below which the traffic should be allowed, and select a CAPTCHA or block response for the traffic that exceeds the volume threshold.

Once the selected period ends (at the end of a full hour or a day), the traffic will get allowed until it reaches the specified number of requests again and the CAPTCHA or block response is applied.

Rate Limiting can be applied to all good and commercial bot traffic and to custom rules.

  • Captcha
    When the AI rule or the custom rule response is set to Captcha, the CAPTCHA is displayed to the traffic to which the rule applies.

  • Block
    When the AI rule or the custom rule response is set to Block, the traffic to which the rule applies is completely blocked from accessing your endpoint. The block rule should be applied to protect an endpoint from any malicious human-generated traffic that would otherwise be able to bypass the CAPTCHA.

  • Custom
    When the response is set to Custom, the traffic to which the rule applies is enriched with a new HTTP header tag. With this header, you will be able to decide the business logic you would like to apply to those requests. For instance: You might decide to obfuscate some data on the page or send alternate content.

Note: The traffic to which the rule applies is allowed on your endpoint, so you need to be sure when you use this response type that your backend will correctly handle this tag.

  • Device Check
    When the response is set to Device Check, the traffic to which the rule applies is redirected to an interstitial page. The page is displayed by the requester for a short time, while its device and environment are verified, and redirects eventually to the requested resource only if the requester is legitimate.

How to change a rule response?

Go to the Access Control section and choose the right sub-page.

For example, if you want to change the response of a custom rule, head to Custom Rules, find the rule you want to update and click on the response selector to choose the response you wish to apply.