---
title: Using system signals
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals
---


The following information provides you with details about the various system signals:

* **Long name:** the name of the signal that you can use to verbally reference or describe it.
* **Short name:** the name of the signal that is applied to matched requests and that can be used to search within the control panel.
* **Usable in:** outlines where a signal can be used. The options are Lists, Rate Limit Rules, Request Rules, or Signal Exclusions. None indicates that the signal may be provided but cannot be used outside of its informational context.
* **Description:** an outline of what the signal means or what it indicates.

## Attacks

Attack signals are labels that describe malicious requests that contain attack payloads designed to hack, destroy, disable, steal, gain unauthorized access, and otherwise take harmful actions.

<!-- TableWithRowAnchors component: 

| Long name            | Short name   | Usable in | Description |
| -------------------- | ------------ | --------- | ----------- |
| Attack Tooling       | `USERAGENT`  | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Attack Tooling is the use of automated software to identify security vulnerabilities or to attempt to exploit a discovered vulnerability. |
| AWS SSRF             | `AWS-SSRF`   | <ui><li>Templated Rule</li></ui> | Server Side Request Forgery (SSRF) is a request which attempts to send requests made by the web application to target internal systems. AWS SSRF attacks use SSRF to obtain Amazon Web Services (AWS) keys and gain access to S3 buckets and their data. This signal is not included with the [Essential platform](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability). |
| Backdoor             | `BACKDOOR`   | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | A backdoor signal is a request that attempts to determine if a common backdoor file exists on a system. The signal generally matches known backdoor filenames. Traditionally these filenames appear with PHP file extensions like `admin.php` and `r57.php`. However, when these paths return a 200 or a larger response than expected, it may indicate that a system has been compromised or is unknowingly hosting a backdoor file. |
| Command Execution    | `CMDEXE`     | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Command Execution is the attempt to gain control or damage a target system through arbitrary operating system commands. |
| Cross Site Scripting | `XSS`        | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Cross-Site Scripting is the attempt to hijack a person's account or web-browsing session through malicious JavaScript code. |
| Directory Traversal  | `TRAVERSAL`  | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Directory Traversal is the attempt to navigate privileged folders throughout a system in hopes of obtaining sensitive information. |
| Log4J JNDI           | `LOG4J-JNDI` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Log4J JNDI attacks attempt to exploit the [Log4Shell vulnerability](https://en.wikipedia.org/wiki/Log4Shell) present in Log4J versions earlier than 2.16.0. |
| SQL Injection        | `SQLI`       | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | SQL Injection is the attempt to gain access to an application or obtain privileged information by executing arbitrary database queries. |

 -->

## Anomalies

Anomaly signals are labels that describe abnormal requests. While not inherently malicious, abnormal requests may be indicative of unwanted or abusive traffic. Examples include malformed request data and requests originating from known scanners.

<!-- TableWithRowAnchors component: 

| Long name                               | Short name                                | Usable in | Description |
| --------------------------------------- | ----------------------------------------- | --------- | ----------- |
| Abnormal Path                           | `ABNORMALPATH`                            | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Abnormal Path indicates the original path differs from the normalized path (e.g., `/foo/./bar` is normalized to `/foo/bar`). |
| API Spec Mismatch |  `API-SPEC-MISMATCH` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request that deviates from a provided API specification. This signal is only compatible with [OpenAPI Specification v3.0](https://spec.openapis.org/oas/v3.0.0.html) and available to [On-Prem WAF deployments](https://docs.fastly.com/products/fastly-next-gen-waf#deployment-types) of Next-Gen WAF. Contact your account manager or email [sales@fastly.com](mailto:sales@fastly.com) to activate this feature. |
| Bad Hop Headers                         | `BHH`                                     | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Bad Hop Headers indicate an HTTP smuggling attempt through either a malformed Transfer-Encoding (TE) or Content-Length (CL) header, or a well-formed TE and CL header. This signal is only available to [On-Prem WAF and Cloud WAF deployments](https://docs.fastly.com/products/fastly-next-gen-waf#deployment-types). |
| Blocked Requests                        | `BLOCKED`                                 | None | Requests blocked by the Next-Gen WAF |
| Code Injection PHP                      | `CODEINJECTION`                           | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Code Injection is the attempt to gain control or damage a target system through arbitrary application code commands. |
| Compression Detected                    | `COMPRESSED`                              | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui>| The POST request body is compressed and cannot be inspected. For example, if a `Content-Encoding: gzip` request header is specified and the POST body is not plain text. |
| Deception Response | `DECEPTION` | None | Indicates a request where the Next-Gen WAF returned a [deceptive response](/guides/next-gen-waf/rules/using-the-deception-action). This signal is only available to customers with Edge WAF deployments but is not available for the [Essential or Professional platforms](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability). |
| Fastly Unknown Backend                  | `FASTLY-UNKNOWN-BACKEND`                  | | Indicates a request to a backend that does not exist in the [Edge WAF](/guides/next-gen-waf/setup-and-configuration/edge-deployment/getting-started-with-the-edge-waf). |
| Forceful Browsing                       | `FORCEFULBROWSING`                        | <ui><li>Signal Exclusion</li></ui> | Forceful Browsing is the failed attempt to access admin pages. |
| GraphQL Duplicate Variables             | `GRAPHQL-DUPLICATE-VARIABLES`             | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a GraphQL request that contains duplicated variables. |
| GraphQL Max Depth                       | `GRAPHQL-DEPTH`                           | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request has reached or exceeded the maximum depth allowed on the server for GraphQL API queries. |
| GraphQL Missing Required Operation Name | `GRAPHQL-MISSING-REQUIRED-OPERATION-NAME` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request has multiple GraphQL operations but does not define which operation to execute. |
| GraphQL Syntax                          | `GRAPHQL-SYNTAX`                          | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request that contains invalid GraphQL syntax. This may be related to a programming error or a malicious request. |
| GraphQL Undefined Variable              | `GRAPHQL-UNDEFINED-VARIABLES`             | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request made to a GraphQL API containing more variables than expected by a function. This can be used to obfuscate malicious requests. |
| HTTP 403 Errors                         | `HTTP403`                                 | <ui><li>Signal Exclusion</li></ui> | Forbidden. This is commonly seen when the request for a url has been protected by the server's configuration. |
| HTTP 404 Errors                         | `HTTP404`                                 | <ui><li>Signal Exclusion</li></ui> | Not Found. This is commonly seen when the request for a page or asset does not exist or cannot be found by the server. |
| HTTP 429 Errors                         | `HTTP429`                                 | <ui><li>Signal Exclusion</li></ui> | Too Many Requests. This is commonly seen when rate-limiting is used to slow down the number of active connections to a server. |
| HTTP 4XX Errors                         | `HTTP4XX`                                 | <ui><li>Signal Exclusion</li></ui> | 4xx Status Codes commonly refer to client request errors. |
| HTTP 500 Errors                         | `HTTP500`                                 | <ui><li>Signal Exclusion</li></ui> | Internal Server Error. This is commonly seen when a request generates an unhandled application error. |
| HTTP 503 Errors                         | `HTTP503`                                 | <ui><li>Signal Exclusion</li></ui> | Service Unavailable. This is commonly seen when a web service is overloaded or sometimes taken down for maintenance. |
| HTTP 5XX Errors                         | `HTTP5XX`                                 | <ui><li>Signal Exclusion</li></ui> | 5xx Status Codes commonly refer to server related issues. |
| HTTP Response Splitting                 | `RESPONSESPLIT`                           | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Identifies when CRLF characters are submitted as input to the application to inject headers into the HTTP response. |
| Insecure Authentication/Authorization   | `INSECURE-AUTH`                           | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Insecure Authentication/Authorization, such as using JSON Web Tokens with the None Algorithm. |
| Invalid Encoding                        | `NOTUTF8`                                 | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Invalid Encoding can cause the server to translate malicious characters from a request into a response, causing either a denial of service or XSS. |
| Malformed Data in the request body      | `MALFORMED-DATA`                          | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | A POST, PUT or PATCH request body that is malformed according to the `Content-Type` request header. For example, if a `Content-Type: application/x-www-form-urlencoded` request header is specified and contains a POST body that is json. This is often a programming error, automated or malicious request. |
| Malicious IP Traffic                    | `SANS`                                    | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | The regularly imported [SANS Internet Storm Center](https://isc.sans.edu/) list of IP addresses that have been reported to have engaged in malicious activity. |
| SigSci Malicious IPs                    | `SIGSCI-IP`                               | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Whenever an IP is flagged due to a malicious signal by our decision engine, that IP will be propagated to all customers. We then log subsequent requests from those IP addresses that contain any additional signal for the duration of the flag. |
| Missing `Content-Type` request header   | `NO-CONTENT-TYPE`                         | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | A POST, PUT or PATCH request that does not have a `Content-Type` request header. By default application servers should assume `Content-Type: text/plain; charset=us-ascii` in this case. Many automated and malicious requests may be missing `Content Type`. |
| No User Agent                           | `NOUA`                                    | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request contained no `User-Agent` header or the header value was not set. |
| Null Byte                               | `NULLBYTE`                                | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Null bytes do not normally appear in a request and indicate the request is malformed and potentially malicious. |
| Out-of-Band Domain                      | `OOB-DOMAIN` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui>  | Out-of-Band domains are generally used during penetration testing to identify vulnerabilities in which network access is allowed. |
| Private Files                           | `PRIVATEFILE`                             | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Private files are usually confidential in nature, such as an Apache .htaccess file, or a configuration file which could leak sensitive information. |
| Rate limited Request                    | `rate-limit`                              | None                                                                                            | Identifies requests that have crossed the threshold of a rate limit rule. |
| Scanner                                 | `SCANNER`                                 | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Identifies popular scanning services and tools |
| SearchBot Impostor                      | `IMPOSTOR`                                | <ui><li>Templated Rule</li></ui> | Search bot impostor is someone pretending to be a Google or Bing search bot, but who is not legitimate. Do not use this signal as an indicator of malicious intent. |

 -->

## Bots

Bot signals are labels that describe suspected and verified bot requests.

> **IMPORTANT:** Unless noted otherwise in the signal description, bot signals are only available to [Edge WAF deployments](/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-edge-waf-deployment).

<!-- TableWithRowAnchors component: 

| Long name            | Short name   | Usable in | Description |
| -------------------- | ------------ | --------- | ----------- |
| Accessibility | `VERIFIED-BOT.ACCESSIBILITY` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Tools that make content accessible (e.g., screen readers). |
| Challenge Token Invalid | `CHALLENGE-TOKEN-INVALID` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request that did not include a valid [bot challenge](/guides/security/bot-management/client-challenges/about-client-challenges) token. |
| Challenge Token Valid | `CHALLENGE-TOKEN-VALID` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request that included a valid [bot challenge](/guides/security/bot-management/client-challenges/about-client-challenges) token. |
| Challenged Request | `CHALLENGED` | None | Indicates a request that was issued a client challenge by the Next-Gen WAF. |
| Client-side Cookie Valid | `CLIENTSIDE-COOKIE-VALID` | <ui><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request has a valid client-side detection cookie set by [advanced client-side detections](/guides/security/bot-management/using-advanced-client-side-detections). This signal is only available to [Edge WAF](/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-edge-waf-deployment) and [On-Prem WAF](/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-on-prem-waf-deployment) deployments. |
| Compromised Password | `COMPROMISED-PASSWORD` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates that a request body includes a compromised password that has been previously revealed in a data breach. This signal is automatically enabled when either the [Login or Registration Attempt signals are enabled](/guides/next-gen-waf/signals/configuring-system-signals/#ato-and-api-signals). Requires dynamic backends to be configured. |
| Content Fetcher | `VERIFIED-BOT.CONTENT-FETCHER` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Tools that extract content from websites to be used elsewhere. |
| Monitoring & Site Tools | `VERIFIED-BOT.MONITORING-SITE-TOOLS` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Tools that access your website to monitor things like performance, uptime, and proving domain control. |
| Online Marketing | `VERIFIED-BOT.ONLINE-MARKETING` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Crawlers from online marketing platforms (e.g., Facebook, Pinterest). |
| Page Preview | `VERIFIED-BOT.PAGE-PREVIEW` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Tools that access your website to show a preview of the page, in other online services, and social media platforms. |
| Platform Integrations | `VERIFIED-BOT.PLATFORM-INTEGRATIONS` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Integration with other platforms by accessing the website's API, notably Webhooks. |
| Research | `VERIFIED-BOT.RESEARCH` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Commercial and academic tools that collect and analyze data for research purposes. |
| Search Engine Crawler | `VERIFIED-BOT.SEARCH-ENGINE-CRAWLER` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Crawlers that index your website for search engines. |
| Search Engine Optimization | `VERIFIED-BOT.SEARCH-ENGINE-OPTIMIZATION` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Tools that support search engine optimization tasks (e.g., link analysis, ranking). |
| Security Tools | `VERIFIED-BOT.SECURITY-TOOLS` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Security analysis tools that inspect your website for vulnerabilities, misconfigurations and other security features. |
| Suspected Bad Bot | `SUSPECTED-BAD-BOT` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request that is suspected of being a bad bot. This signal is only available to [Edge WAF](/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-edge-waf-deployment) and [On-Prem WAF](/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-on-prem-waf-deployment) deployments. |
| Suspected Bad Bot (Headless) | `SUSPECTED-BAD-BOT.HEADLESS` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request that is suspected of being a headless bad bot. This signal is only available to [Edge WAF](/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-edge-waf-deployment) deployments. |
| Suspected Bot | `SUSPECTED-BOT` | <ui><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request that is suspected of being a bot. This signal is only available to [Edge WAF](/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-edge-waf-deployment) and [On-Prem WAF](/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-on-prem-waf-deployment) deployments. |
| Suspected Bot (AI Crawler) | `SUSPECTED-BOT.AI-CRAWLER` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request that is suspected of being an AI/LLM crawler bot. These bots are generally used for building AI models or indexes. |
| Suspected Bot (AI Fetcher) | `SUSPECTED-BOT.AI-FETCHER` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request that is suspected of being a bot used for used by AIs and LLMs for enriching results in response to a user query. |
| Suspected Bot (Headless) | `SUSPECTED-BOT.HEADLESS` | <ui><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request that is suspected of being a headless bot. This signal is only available to [Edge WAF](/guides/next-gen-waf/setup-and-configuration/about-deploying-the-next-gen-waf#about-edge-waf-deployment) deployments. |
| Verified Bot (AI Crawler) | `VERIFIED-BOT.AI-CRAWLER` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Crawlers used for training AIs and LLMs. These bots are generally used for building AI models or indexes. |
| Verified Bot (AI Fetcher) | `VERIFIED-BOT.AI-FETCHER` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Fetcher used for AIs and LLMs. for enriching results in response to a user query. |

 -->

## Informational

Informational signals are labels that describe common request properties that aren't malicious or abnormal.

<!-- TableWithRowAnchors component: 

| Long name                               | Short name                                | Usable in | Description |
| --------------------------------------- | ----------------------------------------- | --------- | ----------- |
| Allowed Requests                     | `ALLOWED`                              | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request that is allowed due to a rule with an allow action. Requests with this signal are never blocked. |
| Bot Analysis                            | `BOT-ANALYSIS`                            | None | Indicates a request that was analyzed for bots. |
| Datacenter Traffic                      | `DATACENTER`                              | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates the request originated from a known cloud, hosting, or data center network. While this traffic is less likely to represent typical residential or mobile end user browsing, it can include legitimate use cases like a VPN. |
| Double Encoding                         | `DOUBLEENCODING`                          | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Double Encoding checks for the evasion technique of double encoding HTML characters. |
| Fail Open | `FAIL-OPEN` | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request was allowed because the WAF failed open. |
| GraphQL API Query                       | `GRAPHQL-API`                             | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a GraphQL API request. |
| GraphQL IDE                             | `GRAPHQL-IDE`                             | <ui><li>Rate Limit Rules</li><li>Request Rules</li></ui> | Indicates a request originating from a GraphQL Interactive Development Environment (IDE). |
| GraphQL Introspection                   | `GRAPHQL-INTROSPECTION`                   | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates an attempt to obtain the schema of a GraphQL API. The schema can be used to identify which resources are available, informing subsequent attacks. |
| JSON Encoding Error                     | `JSON-ERROR`                              | <ui><li>Signal Exclusion</li></ui> | A POST, PUT, or PATCH request body that is specified as containing JSON within the `Content-Type` request header but contains JSON parsing errors. This is often related to a programming error or an automated or malicious request. |
| Site Flagged IP                         | `SITE-FLAGGED-IP`                         | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Indicates a request was received from an IP that was flagged for exceeding attack thresholds for a specific site (also known as workspace). This signal is not included with the [Essential or Professional platforms](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability). |
| Tor Traffic                             | `TORNODE`                                 | <ui><li>Lists</li><li>Rate Limit Rules</li><li>Request Rules</li><li>Signal Exclusion</li></ui> | Tor is software that anonymizes and conceals location, activity, and IP address information when browsing the internet. A spike in Tor traffic can indicate an attacker trying to mask their location. |
| Weak TLS                                | `WEAKTLS`                                 | <ui><li>Signal Exclusion</li></ui> | Weak TLS. A web server's configuration allows SSL/TLS connections to be established with an obsolete cipher suite or protocol version. This signal is based on inspecting a small percent of requests. Also, some architectures and Signal Sciences' language SDK modules do not support this signal. |
| XML Encoding Error                      | `XML-ERROR`                               | <ui><li>Signal Exclusion</li></ui> | A POST, PUT, or PATCH request body that is specified as containing XML within the `Content-Type` request header but contains XML parsing errors. This is often related to a programming error or an automated or malicious request. |

 -->

## Related content

* [About signals](/guides/next-gen-waf/signals/about-signals)
* [Using an API with the Next-Gen WAF](/guides/next-gen-waf/developer/using-an-api-with-the-next-gen-waf)