What Imperva is
Imperva is a reverse-proxy WAF that sits between visitors and the origin. Every request is scored against IP reputation, the _Incapsula_Resource sensor output, TLS handshake characteristics, and behavioural telemetry.
Low-trust requests surface as one of:
- A silent 403 with an
incident IDin the body — the classic Incapsula block page. - A JavaScript challenge served from
/_Incapsula_Resource?...that must execute and set theincap_ses_*cookie before the request will be honoured. - A reCAPTCHA interstitial on more sensitive endpoints.
The four signal categories
1. IP address reputation
Imperva publishes its own threat-intelligence feed and most known cloud ranges are pre-scored as suspicious before any other check runs.
- Datacenter IPs (AWS, GCP, Azure, DigitalOcean, OVH…) — pre-scored low.
- Residential IPs — higher baseline trust.
- Mobile IPs — highest baseline trust.
2. The _Incapsula_Resource sensor and the Incapsula cookie chain
This is where Imperva does most of its detection. Every protected page either ships with an inline sensor script or 302-redirects to one (/_Incapsula_Resource?SWJIYLWA=...) that runs in the browser and collects canvas/WebGL fingerprints, audio context, installed fonts, screen metrics, timezone, language, plugin list, navigator.webdriver, the shape of window.chrome, and similar surface.
The sensor POSTs an encrypted payload back to the edge, which sets the cookie chain required for future requests:
visid_incap_<site_id>— long-lived visitor ID tied to the device fingerprint.incap_ses_<num>_<site_id>— short-lived session token that authorises the actual request.nlbi_<site_id>— load-balancer hint that also carries trust state.
A missing element from this chain — or an incap_ses_* sent from a different IP than the one that minted it — drops the request.
3. HTTP and TLS fingerprinting
Before any HTML is exchanged, Imperva fingerprints the client from the TLS handshake (JA3/JA4) and HTTP/2 behaviour.
- Most scraping libraries still default to HTTP/1.1. Real Chrome and Firefox haven't in years.
libcurland Go'snet/httpproduce JA3 signatures that don't match any real browser.- HTTP/2 fingerprinting tracks pseudo-header order, SETTINGS frame values, and window-update sizes.
4. Behavioural and pattern analysis
Imperva runs continuous ML pattern analysis:
- Missing real-browser headers (
Sec-Fetch-*,Accept-Language,sec-ch-ua). incap_ses_*/visid_incap_*cookies sent from a different IP than the one that minted them.- Identical sensor payloads reused across pages.
- Honeypot link hits.
- Bursty timing.
What this means for developers
The Incapsula cookie chain is the focal point — most Imperva workflows reduce to producing a valid chain and keeping IP/cookie alignment intact. Three general tooling categories:
- HTTP clients with browser-impersonating TLS —
curl_cffi,curl-impersonate,tls-client. Match the handshake but can't mint a realincap_ses_*because the sensor doesn't execute. - Stealth-patched browsers — Camoufox,
patchright, Playwright with stealth plugins. Run the sensor in a real browser context. - Managed scraping APIs — services like Scrappey that handle proxies, patched browsers and session persistence.
For reference, a minimal managed-API example:
import requests
response = requests.post(
'https://publisher.scrappey.com/api/v1',
json={
'cmd': 'request.get',
'url': 'https://example.com/listings',
'session': 'imperva-session-1'
},
headers={'Authorization': 'Bearer YOUR_API_KEY'}
)
print(response.json()['solution']['response'])
Imperva is particularly strict about IP/cookie consistency — incap_ses_* minted on one IP is rejected when sent from another — so a stable exit IP per session is unusually load-bearing.
Sites commonly fronted by Imperva
E-commerce, financial services, jobs, social, gaming and ticketing: Indeed.com, Instagram.com, Gamestop.com, selected Ticketmaster endpoints, and many regional banking and insurance portals. Many of these rotate between Imperva, Cloudflare, Akamai, DataDome and PerimeterX.
Summary
Imperva produces a continuous trust score from IP reputation, the _Incapsula_Resource JS sensor with its cookie chain, TLS/HTTP/2 fingerprints, and behavioural patterns. The incap_ses_* / visid_incap_* chain and its IP binding are the most diagnostic signals — most failed sessions can be traced back to either a malformed chain or an IP mismatch. As with any modern WAF, the sensor updates on a rolling basis.