Brand Safety Verification Is Becoming a Yield Issue for Header Bidding Publishers

BiddingStack Team

9 min read
Add BiddingStack as a preferred source on Google
Brand Safety Verification Is Becoming a Yield Issue for Header Bidding Publishers

Brand safety used to be an advertiser-side concern. Buyers ran verification vendors, publishers occasionally saw a category block, and that was about it. This is changing. Some of the largest demand platforms now verify content before they are willing to serve an ad on it, and inventory they cannot verify is gradually removed from their demand pool.

For publishers this makes brand safety a yield issue. The same ad slot, with the same audience, earns less simply because a buyer's crawler could not confirm what content the ad would run next to. And this kind of demand loss is silent: bids stop arriving, fill rates drift down, and nothing in your reporting explains why.

Here is what buyers actually check on web and in-app, what to do about it, and how BiddingStack handles it.

Why buyers need to see your content

Two forces are driving this, and they both depend on the buyer being able to fetch and read the content around an ad slot.

The first is brand safety. Advertisers want assurance that their ads do not appear next to unsafe or misrepresented content. Historically that assurance came from post-impression measurement. Large demand platforms are moving it earlier in the chain: their crawler fetches the page an ad would appear on, classifies the content, and marks the inventory as eligible. Several major platforms have begun requiring a content URL in in-app bid requests and crawl access for their verification bots, and have told publishers that inventory they cannot scan will gradually stop receiving their demand.

The second is contextual targeting. As third-party identifiers fade and app tracking permissions tighten, a growing share of budgets is targeted by what the content is about rather than who the user is. That classification comes from the same crawl. Content a buyer can read is content that can attract contextual spend; content a buyer cannot read competes only for untargeted, lower-value demand.

Either way the economics are the same: verifiable, classifiable inventory earns more, and inventory that cannot be fetched is quietly worth less. This affects both web and app inventory, in different ways:

  • On the web, the page URL is already in every bid request, so verification usually fails for one reason only: the buyer's crawler is blocked by robots.txt, a CDN rule, or bot protection.
  • In-app, there is no page URL by default. Unless the SDK passes one, the buyer sees an opaque bundle ID and has nothing to scan at all.

The in-app gap: buyers cannot see your content

A web ad slot lives on a URL anyone can fetch. An in-app ad slot lives inside a binary. A typical in-app bid request says little more than "this is app com.example.news, here is a 320x50 slot", with no way for the buyer to know whether the surrounding screen is a recipe, a news article, or something an advertiser would never want to appear beside.

OpenRTB addresses this with the app.content.url field: the corresponding web URL for the content the user is currently viewing in the app. If your app shows an article that also exists on your website, that web URL goes into the bid request, the buyer's crawler scans it, and the in-app impression becomes verifiable.

Passing a content URL on every app request is now one of the highest-leverage best practices for in-app yield. It keeps your inventory eligible for demand sources that require verification, and it opens the door to contextual budgets that opaque inventory never sees. It costs one field in the bid request and typically one line of code.

{
  "app": {
    "content": {
      "url": "https://publishersite.com/article/12345"
    }
  }
}

The URL has to meet a few conditions, or verification fails as surely as if you had sent nothing:

  • A real web URL for the content being viewed, not a deep link (myapp://…) and not an app store listing.
  • Publicly accessible, not behind a login.
  • Specific to the content the user is on. Sending your homepage on every request is treated as unverifiable.
  • Reachable by the buyer's crawler.

Apps without a mirrored website should pass the closest public equivalent, such as a web landing page for the video, episode, or section being viewed. And the URL should change as the user navigates; a request from the sports section should not carry the URL of an article the user read five minutes ago.

Don't block ad crawlers while blocking AI crawlers

Passing a URL is half the job. The buyer's crawler still has to fetch it, and this is where many publishers fail without noticing.

Over the past two years most publishers have tightened robots.txt and bot protection considerably, mainly to keep AI training crawlers off their content. That is a reasonable position, but the blocking is often done wholesale: a robots.txt deny-by-default, a Cloudflare or Akamai rule that challenges everything that is not a known browser, a blanket "block all bots" toggle. Ad verification crawlers get caught in the same net, and every page they cannot fetch is inventory a buyer cannot verify.

The fix is to treat the two categories differently. Block AI spiders if that is your policy, but keep verification crawlers on an explicit allowlist:

  • In robots.txt, remove rules that block ad verification user agents, remove any Crawl-Delay for them, and add an Allow rule for the paths where ads appear.
  • In bot protection tools (Cloudflare, Akamai, AWS WAF, CAPTCHA), add an exception for verification bots. Verify them properly rather than trusting the user-agent string: each major demand platform publishes its crawler's user agent and IP ranges, usually with reverse DNS you can confirm. Allowlist the crawlers of every demand partner your stack depends on.
  • For paywalled content, grant the verified crawler access to the full pages. Buyers cannot classify a subscription prompt.

Common ad crawlers worth checking against your robots.txt and WAF rules include AdsBot-Google and Mediapartners-Google (Google ads quality and contextual classification), AmazonAdBot (Amazon Ads brand safety), GrapeshotCrawler (Oracle contextual), ias_crawler (Integral Ad Science), peer39_crawler (Peer39), and CriteoBot. Exact identifiers and IP ranges are in each partner's documentation, and the list depends on which demand sources and verification vendors your setup uses.

It is worth auditing this even if you have never touched robots.txt yourself: managed WAF rulesets and one-click AI-bot blockers change over time, and ad crawlers are routinely swept up in updates.

Maintaining these lists by hand is ongoing work, since both AI crawlers and ad crawlers keep changing identifiers and IP ranges. General-purpose WAFs also tend to get this backwards for publishers: their bot scoring flags well-behaved ad verification crawlers, which identify themselves honestly and fetch pages at scale, while AI scrapers that rotate residential IPs and imitate real browsers walk straight through. The result is the worst of both: demand partners cannot verify your content, and your content still ends up in training sets.

A publisher-focused bot management solution such as WAF360 applies the policy the ad business actually needs: AI training and scraping traffic is detected and blocked, while known ad verification and contextual crawlers stay allowlisted and verified against their published IP ranges, with both lists kept up to date as they change.

Keep the basics in order

Verification sits on top of eligibility signals buyers already check. Keep ads.txt and app-ads.txt current on the developer domain listed in your store pages, make sure the bundle ID, store URL, and publisher domain in your bid requests match your store listings, and pass IAB content taxonomy signals where you can. Unverifiable seller paths cause the same silent demand loss as unverifiable content.

How BiddingStack handles it

On the web, there is nothing to do. For publishers using BiddingStack's web solution, the page URL is available in every bid request automatically — the tag picks it up from the page itself, so as long as your pages are crawlable, web inventory is verifiable by default.

For apps, the BiddingStack Mobile SDK exposes a content URL setter on iOS, Android, Flutter, and React Native. Set it when the screen changes and every subsequent bid request carries the right app.content.url:

// iOS
BiddingStack.shared.setContentUrl("https://www.example.com/article/12345")
// Android
BiddingStack.shared.contentUrl = "https://www.example.com/article/12345"
// Flutter
BiddingStack.setContentUrl("https://www.example.com/article/12345");

BiddingStack's Managed Prebid Server enriches every in-app request before it reaches bidders, filling in the publisher domain, store URL, and IAB content categories, and fixing the malformed ORTB fields that quietly disqualify requests at the buyer's edge. The content URL you set in the SDK is passed through to every connected bidder, not just one.

Brand safety also runs in the other direction: BiddingStack's ad quality controls protect your app and site from bad creatives, with blocked categories, blocked advertisers, and malformed ad detection enforced at the server.

Finally, because verification-driven blocking is silent, per-bidder bid rates and win rates in the BiddingStack dashboard are the practical early warning. When a demand source starts fading, you can check eligibility before the revenue gap compounds.

Requirements like these change regularly, and they rarely arrive with much notice. Part of what publishers get from a managed platform is that BiddingStack tracks these changes and keeps the SDK, server, and integration guidance aligned with current buyer requirements and best practices, so your inventory keeps earning what it should without your team monitoring every partner announcement.

Checklist

  • Every in-app bid request carries a specific, public, crawlable app.content.url
  • Web pages carrying ads are crawlable by your demand partners' verification bots
  • robots.txt allows verification crawlers, with no Crawl-Delay
  • Bot protection rules allow verified crawler user agents and IP ranges, even if AI crawlers are blocked
  • Paywalled content grants crawler access
  • ads.txt / app-ads.txt current and matching store metadata

Publishers already sending a content URL on all app requests, with crawlers unblocked, need to change nothing.

Keep every demand source eligible

BiddingStack's SDK and Managed Prebid Server handle content URLs, request enrichment, and ad quality for you, on web and in-app.

Talk to Our Team