Imperva

Overview

Imperva (formerly Incapsula, acquired by Thales Group in 2023) is a cybersecurity company providing Web Application Firewall (WAF), DDoS protection, bot management, CDN, and API security services. It is used by financial institutions, e-commerce platforms, healthcare organizations, and government agencies to protect web applications from automated attacks, application-layer DDoS, SQL injection, cross-site scripting, and credential stuffing. Imperva's architecture operates as a reverse proxy — all traffic to the protected website routes through Imperva's network before reaching the origin server, allowing threat detection and mitigation at the edge.

What This Script Does

Imperva's client-side presence serves security verification purposes: detecting automated browsers, bots, and scripted attacks that reach the website.

JavaScript challenge execution:

• Imperva injects a JavaScript challenge that browsers must execute to prove they are a legitimate browser environment
• The challenge tests for capabilities that headless browsers (Puppeteer, Playwright, PhantomJS) and automation frameworks typically lack or simulate poorly
• Challenge results are evaluated server-side; legitimate browsers receive a session validation cookie; suspicious clients are blocked or presented with a CAPTCHA

Device fingerprinting data collected:

• User agent string and parsed browser/OS/version details
• Screen resolution, color depth, and pixel ratio
• Installed browser plugins and fonts (via canvas fingerprinting)
• WebGL renderer and vendor strings
• Timezone offset and language settings
• JavaScript engine performance timing (used to detect virtual environments)
• Network connection type if available via the Network Information API

Behavioral signals analyzed:

• Mouse movement patterns and velocity (distinguish human from scripted input)
• Keystroke timing patterns
• Touch event characteristics on mobile devices
• Scroll behavior

Cookies set:

• visid_incap_<site-id> — first-party persistent cookie, 1-year expiry, stores Imperva's visitor session validation token that grants access to the protected site; required to pass the security check
• incap_ses_<port>_<site-id> — session-scoped cookie, stores the active security session token for the current browser session
• nlbi_<site-id> — first-party persistent cookie, load balancing and bot score caching, 1-year expiry
• These cookies are strictly necessary for the security service to function; without them, the protection layer cannot distinguish validated humans from bots on subsequent requests

Consent & Compliance

Imperva's cookies and data collection fall under the essential consent category. Under ePrivacy Directive Article 5(3), the exemption for cookies "strictly necessary" for a service explicitly requested by the user extends to security services that protect the integrity of the requested website. The EDPB and national DPAs have confirmed that security cookies used for bot detection, DDoS protection, and fraud prevention qualify as strictly necessary and are exempt from consent requirements.

Under GDPR, Imperva's processing of device fingerprinting and behavioral signals for security purposes is covered by legitimate interest under Article 6(1)(f) — the legitimate interest being the protection of the website and its users from cyberattacks and fraud. This is a well-established legitimate interest that consistently passes the balancing test.

Under CCPA, data collected for security purposes is not sold or used for advertising and does not trigger opt-out rights. Imperva is headquartered in San Mateo, California; EU data is processed through Imperva's EU infrastructure and covered by SCCs.

Should You Block This Without Consent?

No. Imperva provides essential security services. Its cookies (visid_incap_*, incap_ses_*, nlbi_*) are strictly necessary for the security layer to function — blocking them would disable bot protection, WAF enforcement, and DDoS mitigation, leaving the website unprotected. These cookies and data collection activities are exempt from consent requirements under ePrivacy and covered by legitimate interest under GDPR.