/Documentation
Contact supportStape.io

Bot Detection power-up

Updated May 1, 2026

The Bot Detection power-up checks each incoming request for signs of bot activity. When enabled, it adds two headers to every request:

  • X-Device-Bot (true or false) 
  • X-Device-Bot-Score (a score from 0 to 100) 

With this power-up you can identify and act on suspicious traffic directly in your sGTM container.

Bot Detection is available on the Pro subscription plan and higher. To check your current plan or upgrade, go to your sGTM container settings.

How to set up Bot Detection

1. Log in to your Stape account and select your sGTM container from the dashboard.

select your sGTM container from the dashboard

2. Go to Power-ups and click Use next to the Bot Detection panel.

Bot Detection panel.

3. Toggle the Bot Detection switch to enable it.

Toggle the Bot Detection switch

4. Select one of the options:

  • Add request headers - the power-up adds bot detection headers to incoming HTTP requests.
  • Block requests from bots - the power-up blocks bot requests to /collect (GA4) and /data (Data Tag) paths. If you use Custom Loader, enable the Block web GTM load toggle to stop web GTM from loading for bot and spam traffic.

5. Click Save changes.

lick Save changes

6. Create a User-Defined Variable in the sGTM container with the type Request Header and enter the name X-Device-Bot.

enter the name X-Device-Bot

7. Add this variable as an additional condition to your GA4 trigger, or any other trigger where you want to reduce the impact of bot traffic.

Add this variable as an additional condition to your GA4 trigger

A score between 50 and 75 means the request looks unusual but doesn’t fully confirm bot behavior, so it isn’t blocked. A score above 75 means all checked parameters match bot activity, and the request is blocked if the Block requests from bots option is enabled.

Testing

Add request headers option: 

1. Open the sGTM container preview. 

2. Go to the Request tab → click Incoming HTTP Request

Incoming HTTP Request

3. If X-Device-Bot headers are present in the Request Headers section, the power-up is working correctly.

f X-Device-Bot headers are present in the Request Headers section, the power-up is working correctly.

Block requests from bots option

Use the Stape Logs feature and filter by the 403 status code to see which requests were blocked.

Block requests from bots option

Use case

A sample scenario is an eCommerce store running paid search campaigns that show healthy traffic volume but consistently underperform on ROAS. Session counts are high, bounce rates look normal, but revenue isn’t growing in proportion. The issue is that a significant share of recorded sessions comes from bots, which inflates traffic metrics and dilutes engagement rates.

You can identify this problem and fix it this way:

  • In GA4, compare your session volume against your orders for the same period. If your conversion rate is significantly lower than your industry benchmark, and your average session duration looks unusually short across a large share of sessions, bot traffic is likely polluting your data.
  • Enable the Bot Detection power-up and create a Request Header variable in sGTM with the Header Name X-Device-Bot. Add this variable as an exception condition on your GA4 triggers so that events from requests where X-Device-Bot is true aren’t forwarded to GA4 or your ad platforms.
  • Monitor your key metrics over the following 2-4 weeks and compare them against the baseline period.

If bot traffic was previously distorting your data, you should see your conversion rate increase, and average session quality improve.

If most bot traffic originates from a specific country and you have no real visitors there, you can configure Cloudflare to challenge requests from that country.

1. In your Cloudflare account, go to your domain → SecuritySecurity rules → click Create rule → select Custom rules.

Custom rules

2. Configure the rule:

  • Rule name - enter a descriptive name.
  • Field - Country.
  • Operator - equals.
  • Value - select the country your bot traffic originates from.
  • Choose action - Managed challenge.

3. Click Deploy.

Configure the rule

Other Cloudflare options for blocking bot traffic include:

  • Known bots - excludes traffic from Cloudflare's maintained bot list
  • Verified bot category - excludes traffic by bot category
Other Cloudflare options for blocking bot traffic

If your bot traffic arrives through known spam domains, you can add an exception trigger to your GA4 tags in web GTM to prevent those sessions from being tracked.

1. In your web GTM container, go to Variables → under Built-In Variables click Configure and enable the Referrer variable.

enable the Referrer variable

2. Go to Triggers and click New

Go to Triggers and click New

3. Choose Custom Event as a trigger type.

Choose Custom Event as a trigger type

4. Set the following settings:

  • Event name - .* 
  • Check Use regex matching 
  • Under This trigger fires on, select Some Custom Events 
  • Add the condition: {{Referrer}}- matches RegEx (ignore case). Then enter your spam domains, separated by | without spaces (e.g. news.grets.store|static.seders.website|another.domain).

Click Save.

Under This trigger fires on, select Some Custom Events

5. Go to your GA4 tag → under Triggering, click Add Exception → select the trigger you just created. Click Save.

Add Exception

Publish your container. The exception trigger will prevent the GA4 tag from firing whenever the referrer matches one of the listed domains.

Comments

Related articles

Can’t find what you are looking for?