Bot Detection power-up
Updated May 1, 2026
The Bot Detection power-up checks each incoming request for signs of bot activity. When enabled, it adds two headers to every request:
- X-Device-Bot (true or false)
- X-Device-Bot-Score (a score from 0 to 100)
With this power-up you can identify and act on suspicious traffic directly in your sGTM container.
Bot Detection is available on the Pro subscription plan and higher. To check your current plan or upgrade, go to your sGTM container settings.
How to set up Bot Detection
1. Log in to your Stape account and select your sGTM container from the dashboard.
2. Go to Power-ups and click Use next to the Bot Detection panel.
3. Toggle the Bot Detection switch to enable it.
4. Select one of the options:
- Add request headers - the power-up adds bot detection headers to incoming HTTP requests.
- Block requests from bots - the power-up blocks bot requests to
/collect(GA4) and/data(Data Tag) paths. If you use Custom Loader, enable the Block web GTM load toggle to stop web GTM from loading for bot and spam traffic.
5. Click Save changes.
6. Create a User-Defined Variable in the sGTM container with the type Request Header and enter the name X-Device-Bot.
7. Add this variable as an additional condition to your GA4 trigger, or any other trigger where you want to reduce the impact of bot traffic.
A score between 50 and 75 means the request looks unusual but doesn’t fully confirm bot behavior, so it isn’t blocked. A score above 75 means all checked parameters match bot activity, and the request is blocked if the Block requests from bots option is enabled.
Testing
Add request headers option:
1. Open the sGTM container preview.
2. Go to the Request tab → click Incoming HTTP Request.
3. If X-Device-Bot headers are present in the Request Headers section, the power-up is working correctly.
Block requests from bots option
Use the Stape Logs feature and filter by the 403 status code to see which requests were blocked.
Use case
A sample scenario is an eCommerce store running paid search campaigns that show healthy traffic volume but consistently underperform on ROAS. Session counts are high, bounce rates look normal, but revenue isn’t growing in proportion. The issue is that a significant share of recorded sessions comes from bots, which inflates traffic metrics and dilutes engagement rates.
You can identify this problem and fix it this way:
- In GA4, compare your session volume against your orders for the same period. If your conversion rate is significantly lower than your industry benchmark, and your average session duration looks unusually short across a large share of sessions, bot traffic is likely polluting your data.
- Enable the Bot Detection power-up and create a Request Header variable in sGTM with the Header Name
X-Device-Bot. Add this variable as an exception condition on your GA4 triggers so that events from requests whereX-Device-Botis true aren’t forwarded to GA4 or your ad platforms. - Monitor your key metrics over the following 2-4 weeks and compare them against the baseline period.
If bot traffic was previously distorting your data, you should see your conversion rate increase, and average session quality improve.
Use case with bot detection on Cloudflare
If most bot traffic originates from a specific country and you have no real visitors there, you can configure Cloudflare to challenge requests from that country.
1. In your Cloudflare account, go to your domain → Security → Security rules → click Create rule → select Custom rules.
2. Configure the rule:
- Rule name - enter a descriptive name.
- Field -
Country. - Operator -
equals. - Value - select the country your bot traffic originates from.
- Choose action -
Managed challenge.
3. Click Deploy.
Other Cloudflare options for blocking bot traffic include:
- Known bots - excludes traffic from Cloudflare's maintained bot list
- Verified bot category - excludes traffic by bot category
Use case with blocking spam referrals on the trigger level
If your bot traffic arrives through known spam domains, you can add an exception trigger to your GA4 tags in web GTM to prevent those sessions from being tracked.
1. In your web GTM container, go to Variables → under Built-In Variables click Configure and enable the Referrer variable.
2. Go to Triggers and click New.
3. Choose Custom Event as a trigger type.
4. Set the following settings:
- Event name - .*
- Check Use regex matching
- Under This trigger fires on, select Some Custom Events
- Add the condition:
{{Referrer}}-matches RegEx (ignore case). Then enter your spam domains, separated by | without spaces (e.g.news.grets.store|static.seders.website|another.domain).
Click Save.
5. Go to your GA4 tag → under Triggering, click Add Exception → select the trigger you just created. Click Save.
Publish your container. The exception trigger will prevent the GA4 tag from firing whenever the referrer matches one of the listed domains.
Was this article helpful?
Comments