access to your site (that is, domain + protocol + port) such as when using AJAX,

@font-face, and a few

other cases. Proactive Bot Defense blocks CORS requests even for legitimate users.
CORS requests are
blocked because browsers typically do not include the required cookies when
allowing cross-domain
requests to prevent session riding by attackers trying to access live sessions and
sensitive data from other
domains.
Therefore, if you enable Proactive Bot Defense and your web site uses CORS, we
recommend that you
add the CORS URLs to the proactive bot URL whitelist. Those URLs will not be
defended from bots
Preventing DoS Attacks on Applications
14
proactively, but they will not be blocked, and will still be protected by other
enabled DoS detections and
mitigations.
A common type of cross-domain request is when an HTML page references resources
from other
domains, such as embedded images, style sheets (CSS), and JavaScript. Proactive Bot
Defense supports
this type of cross-domain request, and you can configure specific domains from
which to allow resources
in the Cross-Domain Requests setting.
About configuring TPS-based DoS protection
When setting up DoS protection, you can configure the system to prevent DoS attacks
based on
transaction rates (TPS-based anomaly detection). If you use TPS-based anomaly
protection, the system
detects DoS attacks from the client side using the following calculations: