Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Akamai Web Application Protector (WAP) is the entry level Web Application Firewall in the Akamai security portfolio. It sits on the Akamai global edge network as a reverse proxy, inspects every HTTP request before it reaches the publisher's origin, blocks the OWASP Top 10 categories of attack and applies rate limiting and bot mitigation rules. Because it is a security layer rather than a tracker, it processes request metadata (IP, User Agent, URL) under legitimate interest, and the cookies it may set (AKA_A2, _abck, bm_sz) qualify as strictly necessary.
Akamai Web Application Protector (WAP) is the simplest Web Application Firewall in the Akamai security catalogue. It runs on the Akamai global edge network as a reverse proxy in front of the publisher''s origin. Every incoming HTTP request is inspected against signature based and behavioural rules covering the OWASP Top 10 (SQL injection, cross site scripting, RCE, LFI), then either passed through, challenged or blocked. WAP also includes basic bot mitigation, rate limiting and DDoS protection.
At a minimum WAP processes the connection metadata of every request : IP address, TLS handshake details, User Agent, HTTP headers, request URL and method. When the WAF rule requires it, the request body (form data, JSON payload) is also inspected. Bot mitigation also sets short lived cookies (AKA_A2, _abck, bm_sz, akacd_*) that act as challenge tokens. Logs are streamed to Akamai''s security operations and can be exported to the publisher''s SIEM through Akamai DataStream.
Running a WAF is a textbook implementation of Article 32 GDPR (appropriate technical and organisational measures). The lawful basis is legitimate interest under Article 6(1)(f) GDPR (security of the network and information systems), reinforced by Article 6(1)(c) where NIS2 or DORA explicitly require WAF capabilities. The bot detection cookies are strictly necessary to deliver the security service the publisher and the visitor implicitly request, and therefore exempt from consent under Article 5(3) ePrivacy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
European traffic normally terminates at European Akamai points of presence, but Akamai is headquartered in Massachusetts and its security operations centres are global. Request metadata and incident logs may therefore be processed in the United States. The Akamai DPA incorporates the EU Standard Contractual Clauses and references Akamai''s EU, US Data Privacy Framework certification. A Transfer Impact Assessment is expected by European supervisory authorities.
Document the Akamai WAF in the processing register as a security processor. Sign the Akamai DPA. Mention Akamai Technologies Inc. and the United States in the privacy notice with the Article 32 legitimate interest balancing test. Configure short retention for incident logs. Do not mix WAP with marketing analytics in the same module so the strictly necessary status of the WAF cookies is unambiguous.
Websites using Akamai Web Application Protector must obtain user consent under GDPR regulations.
DPIA considerations
Akamai WAP is a security layer that processes connection metadata to block attacks. Key considerations : (1) the WAF inspects HTTP headers, URLs and sometimes request bodies that may contain personal data submitted by the visitor, retention of those samples for investigation should be limited; (2) the cookies set by Akamai (AKA_A2, _abck, bm_sz) are bot detection tokens and qualify as strictly necessary under Article 5(3) ePrivacy; (3) Akamai is a US company and request logs are processed globally, the publisher relies on the Akamai DPA, SCCs and the EU, US Data Privacy Framework; (4) Akamai shares aggregated threat intelligence with other customers, which is processed under legitimate interest and should be mentioned in the privacy notice; (5) detailed incident logs may include source IPs of legitimate visitors mistakenly classified, individual rights requests should be handled accordingly. A DPIA is recommended whenever the WAF body inspection feature is enabled.
Sample consent text
This site is protected by Akamai Web Application Protector (Akamai Technologies Inc., United States), a Web Application Firewall operating on the Akamai global edge network. Akamai inspects every incoming request (IP, headers, URL) to block attacks and may store technical request logs and short lived bot detection cookies (AKA_A2, _abck, bm_sz). This processing is necessary to keep the site secure and does not require your consent.
Third-party domains contacted
akamai.comakamaihd.netakamaized.netakamaitechnologies.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| AKA_A2 | Strictly necessary | 1 hour | Akamai bot detection token issued by Web Application Protector and Bot Manager to verify that the request is coming from a real browser, not from an automated client. |
| _abck | Strictly necessary | 1 year | Akamai Bot Manager cookie that stores the result of the bot challenge so subsequent requests do not have to be challenged again. |
| bm_sz | Strictly necessary | 4 hours | Akamai Bot Manager session cookie used to track the integrity of a browser session and detect anomalies suggesting automation. |
| akacd_* | Strictly necessary | Session | Akamai cookie that ties the visitor to a specific Akamai edge server for sticky routing during the security analysis. |
Akamai Web Application Protector is an essential service, but transparency matters. Manage all your consent with FlowConsent.
AKA_A2 (1 hour), _abck (1 year), bm_sz (4 hours) and akacd_* (session). All are short to medium lived bot detection or sticky routing cookies on Akamai or publisher domains.
No. They are strictly necessary to deliver the security service the publisher is required to operate under Article 32 GDPR. They are exempt from consent under Article 5(3) ePrivacy.
Legitimate interest (Article 6(1)(f) GDPR) for the security processing, plus legal obligation (Article 6(1)(c)) where NIS2 or DORA require WAF capabilities. Document the balancing test in the processing register.
Yes. Akamai is US headquartered, request metadata and incident logs may transit the United States. SCCs and Akamai's EU, US Data Privacy Framework certification apply. A Transfer Impact Assessment is expected.
Recommended when the request body inspection feature is enabled (potential capture of personal data in payloads) or when WAP feeds into automated decisions affecting users (account blocking).
Sign the Akamai DPA. Document the legitimate interest balancing test for Article 32. Mention Akamai Technologies Inc. and the United States in the privacy notice. Configure short retention for incident logs. Avoid mixing the WAF cookies with marketing cookies.
Yes : OVHcloud WAF, Cloudflare WAF (US but offers EU regions), Imperva (US), F5 Distributed Cloud WAF or self hosted ModSecurity, Coraza on EU origins. Akamai remains a market leader for very high traffic sites that require an edge WAF.
List AKA_A2, _abck, bm_sz and akacd_* in the strictly necessary section with their domain, duration and security purpose. Add Akamai Technologies Inc. to the recipient list and mention the United States as a transfer destination for the security logs.