Bot Detection power-up
Updated Dec 9, 2025
Overview
This power-up checks each incoming request for signs of bot activity. When enabled, it adds two headers to every request:
- X-Device-Bot (true or false).
- X-Device-Bot-Score (a score from 0 to 100).
The score helps you understand how suspicious the request is. A score between 50 and 75 means the request looks unusual, but we do not block it because the checked parameters do not fully confirm bot behavior. A score above 75 means all parameters match bot activity, and the request is blocked if blocking is enabled.
You can also create a Request Header variable in your server Google Tag Manager container to use these signals. This lets you filter out suspicious traffic or stop GA4 or other tags from firing when a request looks like bot traffic.
Benefits of Bot Detection
- Cleaner analytics data - spammy bot traffic can inflate metrics, leading to inaccurate conversion rates, referral reports, and audience insights. If you filter out these hits, your analytics reports will reflect more accurate and reliable data based on real users.
- Enhanced security and fraud prevention - malicious bots can drive fraudulent clicks or artificially inflate traffic. Blocking suspicious requests at the server level helps protect your marketing budget from wasted ad spend.
- Ease of setup and maintenance - implementing robust bot detection often requires custom coding or third-party solutions. But the Bot Detection power-up seamlessly integrates with your existing Stape’s sGTM services, allowing you to enable, configure, and maintain bot filtering in a single platform.
How to set up the Bot Detection power-up
1. Log in to your stape.io account.
2. Select your sGTM container on the dashboard.
3. Click Power-ups, then click the Use button next to the Bot Detection panel.
4. Toggle the Bot Detection switch.
5. Select one of the options:
- Add request headers - the power-up will add bot detection request headers to incoming HTTP requests.
- Block requests from bots - the power-up will filter out requests to vendors (e.g. GA4 /collect or Data Tag /data). If you select this option and are using Custom Loader, make sure to activate the Prevent web GTM load toggle to prevent web GTM load for bot/spam traffic.
6. Click Save changes.
7. The Bot Detection power-up has been configured on Stape. Here is an example of how to use the power-up’s data to filter the bot traffic in Google Tag Manager:
1) Create a Variable on the sGTM container with the type Request Header and enter the name X-Device-Bot.
2) Use this variable as an additional condition in your GA4 trigger configuration on the server (or any other triggers where you want to limit the impact of bot traffic).
Testing Bot Detection
To verify that the Bot Detection power-up works correctly: open the server Google Tag Manager container preview → go to the Request tab → click on Incoming HTTP Request → click Show More in the Request Headers section. If you see the X-Device-Bot headers, everything is working properly.
If you're using the Block requests from bots option, you can use the Stape Logs feature to see filtered requests. You can filter blocked requests in Stape Logs by the 403 status code.
Comments