--- title: Handling bot traffic slug: pbrf2018 canonical_url: https://docs.coveo.com/en/pbrf2018/ collection: coveo-analytics source_format: adoc --- # Handling bot traffic This article provides guidance on handling bot traffic on your Coveo solution. Bot traffic is a common aspect of modern web operations and can impact your usage metrics and in some cases, your implementation performance. As a Coveo client, it's your responsibility to assess which requests should be allowed or blocked, and to implement appropriate bot-mitigation strategies within your own infrastructure. Therefore, it's essential to [understand the complexities of bot traffic](#about-bot-traffic) and review the [recommended strategies for managing bot traffic](#approaches-to-identify-and-manage-bot-traffic). ## About bot traffic Bot traffic patterns are dynamic in nature and can originate from various sources. Harmful or unintended bot traffic can consist of web crawlers, scrapers, or automated testing tools. They often use large pools of distributed IP addresses and rotate client identifiers to evade detection. Meanwhile, not all automated traffic is harmful. Traffic generated by legitimate agents, including crawlers or AI tools, is increasingly common and shouldn't be interpreted as malicious by default. Regardless of the intent, bot traffic can impact your usage metrics and increase your [queries per month (QPM)](https://docs.coveo.com/en/1391/) consumption in your Coveo solution. It's essential to identify the automated traffic which is harmful to your operations versus the traffic that is benign or even beneficial. ## Approaches to identify and manage bot traffic To identify or block automated traffic, consider implementing one or more of the following strategies within your own infrastructure. These approaches ensure that traffic is evaluated before reaching Coveo. ### Use dedicated web application firewalls (WAF) Security solutions such as Cloudflare™, Akamai™, or AWS WAF™ are specifically designed to detect, classify, and block malicious bot traffic. These tools maintain IP reputation databases, behavioral models, and rule engines that adapt to new bot patterns far better than static filtering. ### Implement a reverse proxy [A reverse proxy](https://docs.coveo.com/en/n9ig0408/) is a server that sits within your own infrastructure and lets you inspect, filter, and govern traffic before forwarding valid requests to Coveo. By routing requests through a proxy that you control, you can enforce your own filtering logic, rate limiting, or authentication decisions. This approach gives you full visibility into the nature of the traffic, and you can block unwanted patterns at the edge. ## FAQ ### Can Coveo block bot traffic? No. Coveo is a relevance platform designed to optimize search and discovery experiences, and its role is to process queries and events to deliver relevance. In the context of bot traffic, some legitimate automated agents such as crawlers or AI tools generate requests that support visibility and discovery, so it can be beneficial for your solution that Coveo processes them. Blocking automated traffic requires advanced detection, risk scoring, and adaptive filtering. These capabilities fall outside Coveo's scope and should be handled by specialized security tools. ### Why can't I block bots using client identifiers or IP addresses? Security filtration, traffic and threat mitigation are responsibilities that belong upstream in your architecture. There are several challenges associated with using static identifiers to block bot traffic: * Dynamic identifiers Bots rarely rely on fixed client identifiers or IP addresses. Because these identifiers can be rotated, exploited, or distributed across a large network of servers, static blocking lists become ineffective. * Distinguishing harmful from legitimate traffic Modern crawlers include search engine bots, accessibility tools, AI agents, and integration services. Automatically blocking these can degrade your customer experience or break valid automation.