Imperva
Imperva is a cyber security software and services company for networking, data, and application security.
Websites Using Imperva
What Is Imperva?
Imperva is an enterprise cybersecurity company whose application-security platform protects websites and APIs with a web application firewall (WAF), distributed-denial-of-service (DDoS) mitigation, bot management, and content delivery. Its cloud application-security service, which incorporates the technology of the former Incapsula product that Imperva acquired and rebranded, sits in front of a customer's origin servers as a reverse proxy, filtering malicious traffic before it ever reaches the application.
Imperva is positioned at the enterprise and security-conscious end of the market. Where some providers bundle security as one feature among many, Imperva's heritage is in data and application protection, and it is frequently chosen by organizations with stringent security, compliance, and availability requirements. The platform is delivered as a cloud service that a customer routes their traffic through, typically by pointing their DNS at Imperva, so that every request passes through Imperva's global network of scrubbing and edge locations on the way to the origin.
It helps to frame Imperva accurately and to keep the discussion defensive. As a reverse-proxy security service, Imperva inspects incoming requests for signs of common web attacks and abusive automation, applies access and rate-limiting policies, absorbs volumetric floods, and caches and accelerates legitimate traffic, all before forwarding clean requests to the protected origin. This profile describes how to recognize that Imperva is in front of a site and what it does at a high level; it deliberately avoids any discussion of how to bypass, evade, or attack such protections. Understanding that a site is shielded by an enterprise WAF is useful context for legitimate research, vendor analysis, and defensive planning.
Because Imperva terminates and inspects traffic at its edge, it leaves recognizable fingerprints in HTTP responses and cookies. Those signals, described below, are what make it identifiable from the outside even though the underlying origin is hidden behind the service.
How Imperva Works
Imperva's cloud service operates as a reverse proxy in front of the origin. A customer changes their DNS so that their domain resolves to Imperva's network rather than directly to their own servers. From that point, every visitor request lands first on an Imperva edge node, which inspects and filters it, and only legitimate traffic is forwarded to the origin over a protected connection. The origin's real IP address is kept out of public DNS, so attackers cannot easily target it directly.
The web application firewall is the centerpiece. It evaluates requests against a combination of managed rule sets and customer-defined policies designed to catch common web-application attack patterns, such as injection and cross-site scripting attempts, and to enforce input and access rules. Imperva maintains and updates these protections centrally, drawing on threat intelligence gathered across its customer base, so that newly observed attack techniques can be mitigated for everyone behind the service. Security teams can also create custom rules tailored to their own applications.
DDoS protection operates at multiple layers. For network-layer (volumetric) floods, Imperva's globally distributed scrubbing capacity absorbs and filters attack traffic before it reaches the customer. For application-layer attacks, which try to exhaust resources with seemingly legitimate requests, the platform applies behavioral analysis and challenges to separate real users from attack traffic. The goal is to keep protected sites available even during large, sustained attacks.
Bot management distinguishes human visitors and well-behaved automated clients from abusive bots involved in activities like content scraping, credential stuffing, and inventory hoarding. Using behavioral signals, device characteristics, and reputation data, Imperva classifies automated traffic and lets operators allow, challenge, or block it according to policy. Alongside these protections, Imperva provides CDN caching and acceleration, so that legitimate content is delivered quickly from edge locations while security inspection happens inline.
Because all of this runs as a managed cloud service in the request path, Imperva also functions as the site's front-line delivery layer. It terminates TLS at the edge, applies caching, and adds its own headers and cookies as part of inspecting and tracking sessions. This inline position is exactly what gives the platform its protective power and what produces the observable signals that allow it to be detected.
How to Tell if a Website Uses Imperva
Imperva leaves several recognizable fingerprints in HTTP responses and cookies, which StackOptic inspects from the server side. Many of these signals carry the legacy "Incapsula" naming from the product Imperva acquired, which remains visible in headers and cookies.
The X-Iinfo header. Imperva commonly adds an X-Iinfo response header (an Incapsula information string). Its presence is a strong, distinctive indicator that traffic is passing through Imperva's service.
The X-CDN: Incapsula header. Responses frequently include a header identifying the CDN as Incapsula, such as X-CDN: Incapsula. This is one of the clearest tells that the site sits behind Imperva.
Incapsula cookies. Imperva sets recognizable cookies used to track and validate sessions, most notably visid_incap_<siteid> and incap_ses_<...>. Seeing cookies whose names contain incap in the Set-Cookie header or in DevTools is a dependable signal.
The _Incapsula_Resource reference. When the service serves one of its own pages or challenge resources, the response often references a path containing _Incapsula_Resource. Encountering this string is strong evidence of Imperva/Incapsula in the path.
Server and block-page hints. Some responses carry server identification associated with Imperva, and the service's notice or block pages (shown for requests it declines to forward) carry recognizable Imperva/Incapsula branding and support references.
| Method | What to do | What Imperva reveals |
|---|---|---|
| curl -I | Run curl -I https://example.com | X-Iinfo, X-CDN: Incapsula, and Set-Cookie with incap cookies |
| Browser DevTools | Network tab Response Headers, plus the Application/Storage cookies panel | The same headers and the visid_incap / incap_ses cookies |
| View Source | Inspect any served notice or challenge page | References to _Incapsula_Resource and Imperva/Incapsula branding |
| Wappalyzer | Run the extension on the live page | Frequently identifies "Imperva" or "Incapsula" under security/WAF/CDN |
| BuiltWith | Look up the domain | Reports Imperva/Incapsula in the security and CDN profile |
A quick terminal check is curl -sI https://example.com | grep -iE "x-iinfo|x-cdn|incap". Any X-Iinfo header, an X-CDN: Incapsula value, or an incap-prefixed cookie indicates the site is protected by Imperva. For the methodology behind reading these signals, see our guide on how to read a website's HTTP headers, and because Imperva is both a security layer and a CDN, how to tell if a website uses Cloudflare or another CDN is a useful companion.
A few points make multi-signal analysis the right approach, and all of them stay firmly on the defensive side. Imperva is a reverse proxy, so a DNS lookup returns Imperva's network rather than the protected origin, which is by design: the platform hides the origin's real address to prevent direct attacks. The header and cookie fingerprints described above are the practical way to recognize the service from the outside, and because the platform genuinely depends on its cookies for session validation, those signals are persistent across a protected site. Since Imperva's bot-management features specifically address scraping and abusive automation, the appropriate use of detection is to understand a site's defenses for legitimate research and planning, not to probe or circumvent them. For background on the kinds of automated threats such a service mitigates, our guide on how to protect your website from bots and scrapers gives helpful context, and you can compare Imperva's positioning with another major edge-security network like Cloudflare. Reading the raw headers server-side is the cleanest way to gather these signals together for a confident identification.
Key Features
- Web application firewall. Managed and custom rules that filter common web-application attack patterns before they reach the origin.
- DDoS mitigation. Globally distributed scrubbing capacity for network-layer floods and behavioral defenses for application-layer attacks.
- Bot management. Classification of automated traffic to allow, challenge, or block scraping, credential stuffing, and similar abuse.
- Content delivery and acceleration. Edge caching and optimization for legitimate traffic alongside inline security.
- Origin cloaking. Keeps the origin server's real IP out of public DNS by routing all traffic through Imperva.
- Centralized threat intelligence. Protections informed by attack data observed across Imperva's customer base.
- Policy and reporting. Granular access, rate-limiting, and visibility tools for security teams, with attack analytics.
Pros and Cons
Pros
- Enterprise-grade, layered protection combining WAF, DDoS mitigation, and bot management in one service.
- Inline reverse-proxy model hides the origin and filters threats before they reach the application.
- Centralized, continuously updated rules backed by cross-customer threat intelligence.
- Bundled CDN means security and acceleration are delivered together at the edge.
Cons
- Positioned for the enterprise, so it can be more complex and costly than lightweight security plugins.
- As an inline proxy, it becomes a critical dependency in the request path that must be configured carefully.
- Tuning WAF rules to avoid blocking legitimate traffic requires security expertise.
- Routing all traffic through a third party requires trust and careful handling of TLS and data.
Imperva vs Alternatives
Imperva competes with other cloud WAF and application-security providers. The table outlines where it sits, with the caveat that all of these are defensive platforms.
| Provider | Category | Heritage / focus | Best for |
|---|---|---|---|
| Imperva | Cloud WAF + DDoS + bot management | Data and application security (incl. former Incapsula) | Enterprises needing layered, security-led protection |
| Cloudflare | CDN + security platform | Performance and security at massive scale | Sites wanting CDN, WAF, and DDoS in one broad service |
| Akamai | CDN + security (App & API Protector) | Large-scale edge delivery and security | Large enterprises with global delivery and security needs |
| AWS WAF | Cloud-provider WAF | Native integration with AWS services | Teams standardized on AWS infrastructure |
| F5 | Application delivery and security | Hardware and software ADC heritage | Organizations with on-premise and hybrid needs |
The common theme is layered, inline protection at the edge. The differentiators are heritage and emphasis: Imperva leads with a security-and-data pedigree, while broad CDNs lead with performance and scale and add security alongside. Many enterprises evaluate these platforms on rule quality, bot-management sophistication, and how the service fits their compliance posture.
Use Cases
Imperva is chosen by organizations for which application security and availability are first-order concerns. Financial-services firms, healthcare providers, and other regulated enterprises put it in front of customer-facing applications to filter attacks and satisfy compliance expectations. Large ecommerce and media sites use it to absorb DDoS attacks and to manage abusive bot traffic such as scraping and credential stuffing.
It also fits APIs that need protection against automated abuse, high-value web applications that are frequent targets, and any business that needs to keep services available under attack while accelerating legitimate traffic. Because Imperva combines security with CDN delivery, it appeals to teams that want both from a single, security-led vendor.
Consider a few defensive scenarios. A bank might route its online-banking portal through Imperva so that injection attempts and credential-stuffing campaigns are filtered at the edge, well before they reach the application, while genuine customers experience fast, cached delivery. A large retailer might rely on Imperva's bot management to prevent automated scraping of prices and inventory and to blunt account-takeover attempts during high-traffic sales events. A media company facing politically motivated DDoS attacks might depend on Imperva's scrubbing capacity to stay online. In each case the service is a protective layer that keeps a high-value site secure and available.
From a technology-research perspective, recognizing Imperva on a site indicates an organization that takes application security seriously and has invested in enterprise-grade protection, often a sign of regulated industry, significant scale, or high-value digital assets. For vendors, partners, and analysts, that is meaningful context, and it is exactly the kind of signal that a server-side detection scan surfaces from headers and cookies in seconds, without any need to interact with the protections themselves.
Frequently Asked Questions
What is the relationship between Imperva and Incapsula?
Incapsula was a cloud-based website-security and CDN service that Imperva acquired and subsequently rebranded under the Imperva name. The technology lives on inside Imperva's cloud application-security platform, which is why many of the observable fingerprints, headers like X-CDN: Incapsula, cookies such as visid_incap, and _Incapsula_Resource paths, still carry the Incapsula name even though the product is now Imperva.
How can I tell if a site is behind Imperva?
Inspect the HTTP response headers and cookies. Look for an X-Iinfo header, an X-CDN: Incapsula header, or cookies whose names contain incap (for example visid_incap and incap_ses). Served notice or challenge pages may reference _Incapsula_Resource. A single curl -sI URL | grep -iE "x-iinfo|incap" is a fast way to check, and tools like Wappalyzer and BuiltWith confirm it.
Why does a site behind Imperva not reveal its real server IP?
Imperva works as a reverse proxy: the customer points DNS at Imperva, so the public DNS record resolves to Imperva's network, not the origin. Keeping the origin's real IP private is intentional and defensive, it prevents attackers from bypassing the protection and hitting the server directly. As a result, you detect Imperva from its edge headers and cookies rather than from the origin address.
Is Imperva a WAF, a CDN, or DDoS protection?
It is all three, delivered together as a cloud application-security service. The platform combines a web application firewall, DDoS mitigation, and bot management with CDN caching and acceleration. Routing traffic through Imperva means a site gets layered security and faster delivery from the same inline service, which is why it appears in both security and CDN detection categories.
Does Imperva affect a site's performance or SEO?
Imperva includes CDN caching and acceleration, so legitimate traffic, including search-engine crawlers, is typically served quickly from edge locations, which supports good performance. The security inspection happens inline and is designed to be low-latency for genuine visitors. As with any inline edge service, correct configuration matters, but a well-tuned deployment generally aids performance while protecting the site.
Want to detect Imperva and the rest of a site's security and delivery stack? Run any URL through StackOptic at https://stackoptic.com.
Alternatives to Imperva
Compare Imperva
Analyze a Website
Check if any website uses Imperva and discover its full technology stack.
Analyze Now