Shape Defense Overview


  • This document describes how Silverline Shape Defense works.

Return to Integrating Shape Defense



  • Shape Defense

Shape Defense

F5’s Shape Defense solution protects your application and server from automation attacks, aggregators, and other unauthorized automated requests.

Illustration 1: High-level network request flow

Shape Mobile SDK or Shape JavaScript gather signals on the user’s deviceSignals are collected and sent as part of the protected request. When request is made through a web form, signals are part of the HTTP request body, when made as an XHR request, or by the mobile app, the signals are sent as HTTP headers.

Note: These signals never include Personally Identifiable Information (PII), page content, or data entered by the visitor. 


When the Silverline receives the attached signal payload for the Shape-protected URL, the payload is processed by the Shape policy. Shape policy determines if the client is a human user or an automation. 

To enable this solution, web applications will leverage Shape JS, while mobile apps will need to integrate Shape Mobile SDK. Silverline must be configured to protect specific URLs with Shape Defense.


Silverline Configuration

To enable protection by Shape, the administrator defines which URLs or URL patterns need protection in the Silverline Portal.


Web Application Protection

Shape JavaScript collects signals and automatically decorates protected requests, such as form POSTs or XHR requests. 

When Silverline receives these requests, it examines the telemetry to determine if the requests are from legitimate users or an automation.  

When automation is detected, and Silveline action is set to Block or Redirect, the client will recieve the configured mitigation response. If action is set to Flag, automated requests are monitored by Silverline, but are allowed to proceed to the customer's server. Flagged requests will include an HTTP header signifying why they were marked as an automation.



Supported Browsers Shape JS Client is supported on four latest versions of Chrome, Firefox, Safari, and Edge, along with support for IE 9-11. It is compatible with older versions of these browsers, as well as, many other browsers.
JavaScript Size ~100 KB compressed
Telemetry payload size ~6KB 



Mobile Application Protection

Shape Mobile SDK collects telemetry and provides simple API to obtain Shape headers, which are then attached to the protected requests. 

When the Shape service receives these requests, it examines the telemetry to determine if the requests are from legitimate users or an automation.  

When automation is detected Silverline sends a special header back to the client, which triggers a new Shape configuration fetch.


Request Flow with Shape Mobile SDK

Illustration 2: This control-flow diagram shows application’s interaction with Shape SD.

  1. On launch, the app initializes the Shape Mobile SDK. It is recommended that SDK initialization happens as early as possible and before making any network requests which need to be protected by Shape.

    Upon initialization, the SDK makes a GET request to the Shape server to get the remote configuration. This is an asynchronous call which doesn’t block the execution of the app. Until a new configuration is fetched, either a previously cached configuration or the base configuration is used.

    Note: When integrating the SDK, a base configuration file is required.

  2. Using APIs available in the SDK, the app obtains the Shape HTTP headers and adds them to outgoing requests. This step is also known as request decoration.

  3. The app sends the request, Silverline applies Shape Policy, and an inference is made based on information gathered from the device. If the request is deemed legitimate, it proceeds to origin.

  4. When a response from the server is received, the app passes HTTP response headers to the Shape SDK. The SDK looks for a particular header present in the response. If the request is mitigated by Shape, the SDK makes another request call to fetch a remote configuration.



  iOS Android
Supported OS / API iOS 11+ API 21+
Size increases in app

2.2 MB static, 1.5 MB dynamic

2 MB (with AAB)
Telemetry payload size 2.0 - 5.0 KB (typically 3.2 KB)
Configuration size ~120 KB compressed




Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request