WAF360 JavaScript API
Get started with WAF360 JavaScript API
WAF360 provides a client-side JavaScript API to interact with the WAF360 tag. The API allows you to queue events and perform checks asynchronously, even before the tag script has fully loaded.
window._waf360.send(event, payload)
Adds a custom event to the WAF360 queue. This method can be called before or after the WAF360 tag is loaded.
event (string)
Name of the event to track. Example: "page_view"
payload (object, optional)
Optional data associated with the event. Example: { userId: 12345 }
Usage Example:
// Queue a custom event
window._waf360.send("page_view", { userId: 12345 });
Behavior:
- Queued events are stored in
window._waf360.quntil the tag is ready. - Once the tag initializes, queued events are sent to the WAF360 backend via Track.send.
window._waf360.check(callback)
Queues a WAF360 check operation to fetch the current traffic and security evaluation. The callback is executed once the tag is ready and the response is retrieved.
callback (function, required)
A function that executes with the WAF360 response data. The callback receives a single parameter: the response object.
Usage Example:
window._waf360.check(function(data) {
console.log("WAF360 check result:", data);
if (data.block) {
alert("Traffic is blocked");
}
});
Behavior:
- The callback function is queued in window._waf360.q as ['check', callback].
- When the WAF360 tag initializes, the tag executes all queued check callbacks.
- The callback receives a response object with the following fields:
{
"qs": false,
"ib": false,
"ic": true,
"dc": "AMAZON_AWS",
"ix": false,
"it": false,
"iv": false,
"geo": "GB",
"block": false
}
Queue Behavior
All API calls (send and check) are stored in the _waf360.q array until the WAF360 tag is fully loaded. This allows you to invoke the API before the tag script is available:
window._waf360.send("signup", { plan: "premium" });
window._waf360.check(function(data) { console.log(data); });
When the tag initializes, it processes the queue in order, sending events and executing check callbacks.
Example: Conditional Script Loading
In many cases, you may need to control which third-party vendor scripts are loaded based on the characteristics of your traffic. Using the WAF360 JavaScript API, you can dynamically decide whether to load scripts depending on geographic location, quality check status, bot detection, or other security metrics. This approach helps:
- Reduce unnecessary third-party script loads for suspicious traffic.
- Comply with regional or regulatory restrictions.
- Improve performance and security by only loading scripts for verified traffic.
The following examples demonstrate common scenarios for managing third-party vendor tags using window._waf360.check.
1. Only allow US traffic to load another JS tag
window._waf360.check(function(data) {
if (data.geo === "US") {
const script = document.createElement("script");
script.src = "https://example.com/us-only-script.js";
document.head.appendChild(script);
}
});
2. Load a script based on block status
window._waf360.check(function(data) {
if (!data.block) { // only load if traffic is not blocked
const script = document.createElement("script");
script.src = "https://example.com/allowed-script.js";
document.head.appendChild(script);
}
});
3. Load a script based on qs (quality check)
window._waf360.check(function(data) {
if (data.qs) { // only load if traffic passed quality check
const script = document.createElement("script");
script.src = "https://example.com/quality-pass-script.js";
document.head.appendChild(script);
}
});
4. Load a script based on both block and qs
window._waf360.check(function(data) {
// Load only if not blocked by rules and also passes quality check
if (!data.block && data.qs) {
const script = document.createElement("script");
script.src = "https://example.com/block-pass-script.js";
document.head.appendChild(script);
}
});