Checkpoint Docs
Enforce

Detection in Enforce Mode

How Gateway and Middleware detect AI agents at the edge and server-side

Overview

When operating in Enforce mode, both the Gateway and Middleware perform multi-signal detection to classify incoming traffic. This page explains the detection mechanisms, signals used, and how results feed into policy evaluation.

Detection Flow

1. Extract request metadata
   ├── HTTP headers (User-Agent, Accept, etc.)
   ├── IP address and geolocation
   ├── TLS fingerprint (JA3/JA4)
   └── Request patterns

2. Check for MCP-I signature headers
   ├── If present → Verify Ed25519 signature
   │   ├── Valid → 100% confidence, classify as ai_agent
   │   └── Invalid → Continue to WASM detection
   └── If absent → Continue to WASM detection

3. Run detection engine
   ├── Gateway: WASM module at Cloudflare edge
   └── Middleware: Server-side API detection

4. Combine results
   ├── Detection class (human, ai_agent, bot, incomplete_data)
   ├── Confidence score (0–100)
   └── Agent metadata (name, type, verification method)

5. Apply policy
   └── Allow / Block / Redirect / Challenge / Log

Detection Signals

User Agent Analysis

The detection engine analyzes the User-Agent header for known agent signatures:

AgentUser Agent Pattern
ChatGPTChatGPT-User
GPTBotGPTBot
ClaudeClaude-Web, ClaudeBot
PerplexityPerplexityBot
Google AIGoogle-Extended
GooglebotGooglebot
Bingbotbingbot

TLS Fingerprinting

The Gateway performs TLS fingerprint analysis (JA3/JA4) at the edge. Different clients produce distinct TLS handshake patterns, which helps distinguish browsers from automated tools even when user agents are spoofed.

TLS fingerprinting is only available with the Gateway. Middleware detection relies on other signals since TLS termination happens before the middleware runs.

HTTP Header Analysis

Beyond the user agent, the detection engine examines:

  • Accept headers — Browsers send specific accept patterns
  • Language headers — Automated tools often omit or misconfigure these
  • Connection behavior — Keep-alive patterns, header ordering
  • Missing headers — Browsers include standard headers that bots may skip

Request Pattern Analysis

Detection considers behavioral signals:

  • Request frequency and timing
  • Navigation patterns (do they follow links?)
  • Resource loading (do they load CSS, images, JavaScript?)
  • Cookie handling

Signature Verification (RFC 9421)

How It Works

Some AI agents cryptographically identify themselves using HTTP Message Signatures as defined in RFC 9421. ChatGPT, for example, signs its requests with Ed25519 keys.

When the Gateway detects signature headers:

  1. Extract the Signature and Signature-Input headers
  2. Fetch the agent's public key from its .well-known/http-message-signatures-directory
  3. Verify the Ed25519 signature against the request
  4. If valid: 100% confidence classification as ai_agent

Supported Agents

AgentSignature TypeKey Discovery
ChatGPTEd25519 (RFC 9421).well-known/http-message-signatures-directory

Checkpoint caches public keys for 5 minutes to avoid repeated lookups. Key rotation is handled automatically.

Why Signature Verification Matters

Cryptographic signatures are unforgeable. When an agent presents a valid signature, detection confidence is 100% — there's no ambiguity about the request source. This makes signature verification the highest-confidence detection method available.

WASM Detection (Gateway)

The Gateway runs a WebAssembly detection module at Cloudflare's edge:

  • Compiled from optimized detection logic
  • Runs in under 5ms (p95)
  • No network round-trips for classification
  • Updated without redeployment via Cloudflare's platform

The WASM module combines multiple signals into a single classification with a confidence score.

Detection Classes

ClassValueDescriptionTypical Confidence
HumanhumanRegular browser traffic0 (no agent signals)
AI Agentai_agentAI assistants and chatbots70–100
BotbotCrawlers, scrapers, automation60–100
Incomplete Dataincomplete_dataInsufficient signalsN/A

AI Agent vs Bot

Checkpoint distinguishes between AI agents (ChatGPT, Claude, Perplexity) and traditional bots (Googlebot, scrapers). This lets you apply different policies — for example, allowing search crawlers while blocking AI scrapers.

Confidence Scores

RangeDescription
100Cryptographic verification (signature match)
90–99Strong multi-signal match (user agent + TLS + behavior)
70–89Good signal match (user agent + partial verification)
50–69Moderate signals (partial matches, some ambiguity)
0–49Weak signals or human traffic

Detection Latency

MethodLatency (p95)Where It Runs
Gateway (WASM)~1–5msCloudflare edge (300+ locations)
Gateway (with signature)~5–10msEdge + key fetch (cached)
Middleware~5–10msYour application server

Next Steps

Policies

Configure enforcement policies for Gateway and Middleware

Monitoring

Monitor Gateway and Middleware health, performance, and detection metrics

On this page

OverviewDetection FlowDetection SignalsUser Agent AnalysisTLS FingerprintingHTTP Header AnalysisRequest Pattern AnalysisSignature Verification (RFC 9421)How It WorksSupported AgentsWhy Signature Verification MattersWASM Detection (Gateway)Detection ClassesAI Agent vs BotConfidence ScoresDetection LatencyNext Steps