Footprint

What cookies does Bot Defender have? What JS sensor domains does Bot Defender have?

Sensor

We have dedicated domains for fetching the sensor and sending XHRs. These should be allowed in your Content Security Policy (CSP)
perimeterx.net
px-cdn.net
px-cloud.net
pxchk.net
px-client.net

Cookies

📘

Note

While not all cookies are used by PerimeterX all the time, they must be allowed, and should be expected, at the site level. It is recommended to un-block all PerimeterX cookies.

Cookie name

Cookie Purpose Description

Type

Expiration

1st or 3rd Party

Category

Note

Size

_pxvid

Used for browser detection and distinguishing whether it is a real user or malicious bot.

JS

1 year

1st Party

Strictly Necessary

Visitor ID (randomly generated ID)

42b

_px* (e.g _px, _px2, _px3)

Used to maintain a session with PerimeterX. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

JS

2 days

1st Party

Strictly Necessary

Visitor ID (randomly generated ID)
Session ID (uuid)
Time expiration

up to 500b

_pxff_*
(e.g
_pxff_af_c
_pxff_af_rf
_pxff_af_se
_pxff_af_sp
_pxff_af_wp
_pxff_bdd
_pxff_idp_c
_pxff_idp_p
_pxff_wa
_pxff_wow
_pxff_ww
_pxff_tm)

Used to flag features for browser detection and distinguishing whether it is a real user or malicious bot.

JS

1 day

1st Party

Strictly Necessary

all pxff cookies are feature flags for PerimeterX code, including no visitor specific data, but instead - instructions for the PerimeterX code running on the client side.

9b-20b

_pxmvid

User Token (from WebView via mobile SDK integration)

JS

1 hour

1st Party

Strictly Necessary

Visitor ID (randomly generated ID)

43b

_pxhd

Used for server-side detection and distinguishing whether it is a real user or malicious bot.

HTTP

1 year

1st Party

Strictly Necessary

Visitor ID (randomly generated ID)

106b

pxcts

Used to maintain a cross tab session

HTTP

session

1st Party

Strictly Necessary

cross tab session
(randomly generated ID)

43b

_pxde

Data enrichment feature (e.g is the user in access control)

JS

5 days

1st Party

Analytics

Hashed incident type
Hashed access control identification

100b-200b

Performance Impact

Full details are available here

Component

Category

Value

Sensor

Size

30kb

Sensor

CPU block time (sync load)

50ms (95th percentile)

Server-side

95th percentile of API request time

35-50ms
(impacting only 5% or less of legitimate
users’ requests)

Server-side

Token validation

under 2ms (95th percentile)


Did this page help you?