---
title: X-SigSci-* request headers
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/developer/x-sigsci-headers
---


`X-SigSci-*` headers are added to incoming requests. The end user (your customers) can't see them. However, your internal application can use these headers for various integrations.

## Limitations and considerations

Keep in mind the following:

* Don't manipulate the `x-fastly-ngwaf` header, as this header is not intended for customer usage.
* If you are using the module-agent deployment method, your deployment module may alter the case of header names (e.g., `X-SigSci-AgentResponse` may appear as `X-Sigsci-Agentresponse`).

## Headers that are automatically added

The Next-Gen WAF automatically adds the following `X-SigSci-` headers to requests:

| Header | Description | Deployment type |
|---|---|---|
| `X-SigSci-AgentResponse` | A [code](/guides/next-gen-waf/agent-response-codes/about-agent-response-codes) that indicates the Next-Gen WAF agent's decision to allow or block a request to your web application. The 200 agent response code indicates the request should be allowed, and agent response codes greater than or equal to 301 indicate the request should be blocked. | Edge WAF <br /><br />On-Prem WAF |
| `X-SigSci-EdgeModule` | The `edgemodule` version of your Edge WAF deployment and whether dynamic backends are enabled (e.g., `vcl 2.7.0;backendtoken`). | Edge WAF |
| `X-SigSci-RequestID` | A request ID used to uniquely identify a request. Not all requests will be assigned an ID. | All |
| `X-SigSci-Tags` | A CSV string of comma-separated signals that are associated with a request. The header includes both [system and custom signals](/guides/next-gen-waf/signals/about-signals/) (e.g., `SQLI, XSS, NOUA, TOR, SITE.CUSTOM-SIGNAL`). | All |
| `X-SigSci-Decision-MS` | The time the WAF takes to enrich a request with headers and potentially block it. This header can only be used in [VCL](/guides/full-site-delivery/caching/manipulating-the-cache-key).| Edge WAF |

## Adding headers to customize inspection for Edge WAF deployments

If you have an [Edge WAF](/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-edge-waf-deployment) deployment, you can use `X-SigSci-*` headers to customize when the Next-Gen WAF inspects traffic.

### Forcing inspection

When testing your Next-Gen WAF deployment, you can use the curl command line tool to force the Next-Gen WAF to inspect a request by adding the `x-sigsci-force-inspection` header to the request:

```term copy
$ curl ${REQUEST_URL} -H 'x-sigsci-force-inspection: true'
```

### Disabling inspection

The `x-sigsci-no-inspection` header prevents the Next-Gen WAF from inspecting requests that meet user-defined conditions. For example, you can use this header to bypass the WAF and allow traffic to access static content.

To disable inspection for select requests, add the `x-sigsci-no-inspection` header to your service and then associate a condition to the title:

1. <Partial name='step-login' inline />
1. <Partial name='step-select-service' inline />
1. <Partial name='step-click-edit' inline />
1. <Partial name='step-click-content-tab' inline />
1. In the **Headers** area, click **Create a header**.

   ![Create x-sigsci-no-inspection header](/img/ngwaf/create-x-sigsci-no-inspection-header.png)

1. Fill out the **Create a header** fields as follows:
   * In the **Name** field, enter `x-sigsci-no-inspection`.
   * From the **Type** menu, select **Request**, and from the **Action** menu, select **Set**.
   * In the **Destination** field, enter `http.x-sigsci-no-inspection`.
   * In the **Source** field, enter `true`.
   * From the **Ignore if set** menu, select **No**.
   * In the **Priority** field, enter the order the header rules execute.
1. Click **Create**.
1. In the **Headers** area, click **Attach a condition** next to the `x-sigsci-no-inspection` header.

   ![Create request condition for the x-sigsci-no-inspection header](/img/ngwaf/create-no-inspection-condition.png)

1. Fill out the **Create a new response condition** fields as follows:
   * In the **Name** field, enter a descriptive name for the new condition (for example, `x-sigsci-no-inspection condition`).
   * In the **Apply if** field, enter the appropriate request condition that will be applied. For example, `req.url.ext ~ "(?i)^(html|css|js|gif|png|jpg|jpeg|svg|woff|woff2|ttf|eot|otf)$"` disables inspection for requests with a static file extension.
1. Click **Save and apply to**. The new condition for the header is created.
1. <Partial name='step-activate-deploy' inline />

### Skipping initial inspection

The `x-sigsci-skip-inspection-once` header tells the Next-Gen WAF to skip initial inspection and only inspect requests when the `vcl_miss` or `vcl_pass` [subroutines](/reference/vcl/request-lifecycle) are called. Adding this header is helpful when you want an additional security integration to handle [preflight requests](https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request) and then the Next-Gen WAF to inspect the request.

To skip initial inspection, add the `x-sigsci-skip-inspection-once` header to your service and then associate a condition to the title:

1. <Partial name='step-login' inline />
1. <Partial name='step-select-service' inline />
1. <Partial name='step-click-edit' inline />
1. <Partial name='step-click-content-tab' inline />
1. In the **Headers** area, click **Create a header**.

   ![Create x-sigsci-skip-inspection-once header](/img/ngwaf/create-x-sigsci-skip-inspection-once-header.png)

1. Fill out the **Create a header** fields as follows:
   * In the **Name** field, enter `x-sigsci-skip-inspection-once`.
   * From the **Type** menu, select **Request**, and from the **Action** menu, select **Set**.
   * In the **Destination** field, enter `http.x-sigsci-skip-inspection-once`.
   * In the **Source** field, enter `true`.
   * From the **Ignore if set** menu, select **No**.
   * In the **Priority** field, enter the order the header rules execute.
1. Click **Create**.
1. In the **Headers** area, click **Attach a condition** next to the `x-sigsci-skip-inspection-once` header.

   ![Create request condition for the x-sigsci-skip-inspection-once header](/img/ngwaf/create-skip-inspection-condition.png)

1. Fill out the **Create a new response condition** fields as follows:
   * In the **Name** field, enter a descriptive name for the new condition (for example, `x-sigsci-skip-inspection-once condition`).
   * In the **Apply if** field, enter the appropriate request condition that will be applied. For example, enter `req.restarts < 1 && req.url.path ~ "skip-waf-once"` to restart inspection of requests with the `skip-waf-once` path. The restart condition enables preflight requests to enrich a request before being sent to the Next-Gen WAF and origin.
1. Click **Save and apply to**. The new condition for the header is created.
1. <Partial name='step-activate-deploy' inline />


## Related content

* [About Edge WAF deployment](/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-edge-waf-deployment)