F5 Networks

F5 Networks

Web security and DDoS protection solution for e-commerce and enterprise sites. F5 Networks scripts may appear as part of bot management and web application firewall (WAF) deployments, performing browser integrity checks to identify automated traffic.

Back to Vendor Library

Overview

F5 Networks is an enterprise application delivery and security company headquartered in Seattle, Washington. Its portfolio spans web application firewalls (WAF), DDoS protection, bot management, load balancing, and SSL/TLS offloading. When F5 scripts appear in the browser, they are typically components of F5's Shape Security or Distributed Cloud Bot Defense products — client-side JavaScript challenges that assess whether a visitor is a human or an automated bot. These scripts are deployed by enterprises, financial institutions, and e-commerce companies to protect login pages, checkout flows, account creation forms, and APIs from credential stuffing, carding, and scraping attacks.

What This Script Does

Script Files and Domains

F5 Shape Security/Bot Defense injects a dynamically generated JavaScript file — the filename and content are intentionally obfuscated and rotated to resist reverse engineering. Common patterns include files loaded from the site's own domain (to avoid ad blocker blocking) or from api.figtreesecurity.com, api.bcrf.net, or F5-provisioned subdomains of the customer's own domain. Bot Defense scripts communicate with F5's telemetry collection endpoints at {customer-prefix}.shape.io or via proxied routes on the origin server.

Browser Signal Collection

The script performs an extensive battery of passive browser and environment checks to generate a risk signal:

  • Navigator properties: userAgent, platform, hardwareConcurrency, deviceMemory, language, languages, maxTouchPoints, vendor, appVersion
  • Screen properties: width, height, colorDepth, pixelDepth, availWidth, availHeight
  • Canvas fingerprinting: Renders an offscreen canvas with text and geometric shapes, reads the pixel buffer as a hash
  • WebGL: Queries renderer and vendor strings from the GPU
  • Audio fingerprinting: Uses the AudioContext API to generate a device-specific audio processing signature
  • Timing: Measures JavaScript execution timing to detect headless browser anomalies
  • Behavioral signals: Tracks mouse movement velocity, keystroke timing intervals, touch event patterns, and scroll behavior
  • Plugin and font enumeration: Lists available browser plugins and measures font rendering metrics

Risk Score and Challenge

Collected signals are encoded and transmitted to F5's scoring infrastructure, which returns a risk verdict. High-risk sessions may be presented with a CAPTCHA challenge or silently blocked at the WAF layer. Low-risk sessions receive a signed token that is validated server-side on subsequent requests.

Cookies Set

F5 Bot Defense sets session-scoped cookies (names vary by deployment) to persist the risk verdict across page navigations, avoiding repeated challenge overhead. These cookies contain encrypted risk scores and session tokens — no persistent advertising identifiers.

Consent & Compliance

Category: Essential

Bot management and fraud prevention are recognized as legitimate interests and strictly necessary security functions under ePrivacy. The EU's ePrivacy Directive (Article 5(3)) exempts cookies that are "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user." Security scripts that protect the integrity of a requested service — such as preventing credential stuffing on a login page or carding on a checkout page — fall squarely within this exemption.

Under GDPR Recital 47, processing for fraud prevention constitutes a legitimate interest that overrides the data subject's interest where processing is proportionate. F5's client-side signals collection during a transaction flow is proportionate to the fraud risk being mitigated.

CCPA similarly exempts fraud prevention data processing from opt-out requirements under the "security" exception (Cal. Civ. Code § 1798.145(a)(1)).

No consent is required for strictly necessary security scripts, provided their scope is limited to security functions and they do not run persistent advertising tracking in parallel.

Should You Block This Without Consent?

No. F5 Networks' bot defense and WAF scripts provide essential security protection — preventing automated attacks, credential stuffing, carding, and DDoS — during user-requested interactions. They qualify for the strictly necessary exemption under ePrivacy and represent a legitimate interest under GDPR. Blocking them would expose your site to significant fraud and abuse risk. Ensure these scripts are scoped to pages where security protection is needed (login, checkout, registration) rather than running site-wide if minimizing data collection is a priority.

Visit website

Consent Categories

Essential

Also Known As

F5 NetworksF5 bot managementF5 WAF scriptF5 fingerprintingNGINX bot protectionF5 Shape Securityweb application firewall script

Industries

Computers Electronics and Technology

Tracked Domains (1)

zeronaught.comEssential

Frequently Asked Questions

Does F5 Networks bot defense require user consent to load?

No. F5 bot management qualifies as strictly necessary under ePrivacy Article 5(3) and as a legitimate interest under GDPR Recital 47. It protects user-requested services like login and checkout from credential stuffing and carding attacks without requiring a consent gate.

What data does the F5 bot defense script collect?

It performs passive checks: navigator properties, screen metrics, canvas fingerprint, WebGL GPU strings, audio fingerprint, and behavioral signals including mouse velocity, keystroke timing, and scroll patterns. Signals generate a risk score determining whether to allow or challenge the session.

How does ConsentStack treat F5 Networks scripts?

ConsentStack classifies F5 Networks as an essential vendor and allows it to load without a consent prompt. For the strongest compliance posture, ConsentStack recommends scoping the script to transactional pages — login, checkout, registration — rather than running it site-wide, keeping data collection proportionate.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for F5 Networks

ConsentStack automatically detects and manages F5 Networks trackers so your site stays compliant with global privacy regulations.

Get started free