Anti-Bot Glossary

Cloudflare Turnstile is a service that checks whether a visitor is a real human, but without showing the kind of puzzle a normal CAPTCHA does.

Anti-bot detection is the set of techniques websites use to tell automated traffic apart from real human visitors — and then block, challenge, or slow down the automated half.

TLS fingerprinting is a way to recognize what software made a connection just by looking at how it sets up encryption — before the server reads a single byte of your request.

Canvas fingerprinting is a way for a website to identify your device by asking the browser to draw a tiny invisible image, then turning the resulting pixels into a short ID (a hash.

DataDome is a bot-protection vendor used on roughly 1,200 enterprise sites, scoring more than 5 trillion signals per day.

Akamai Bot Manager is an enterprise tool that websites use to tell real visitors apart from bots, and it guards roughly 30% of the Fortune 500 — airlines, banks, retailers, ticketi.

PerimeterX, now operating as part of HUMAN Security, is a bot-protection vendor whose biggest asset is its network.

Kasada is a bot-defense system that big retailers, ticketing sites, and sneaker drops put in front of their servers to manage automated traffic.

F5 Shape Security is the most sophisticated anti-bot product on the market — F5 paid $1 billion to acquire Shape in 2020 and the price reflects what it does.

WebAssembly (WASM) fingerprinting is a newer anti-bot technique that identifies a browser by measuring how its actual CPU behaves, instead of trusting what the browser says about i.

HTTP/2 fingerprinting identifies an HTTP client from its SETTINGS frame and frame-level behaviour, independent of the TLS layer.

A WebRTC IP leak is when your browser quietly reveals your real IP address — even though you set up a proxy to hide it.

A DOM honeypot is an invisible form field or link that humans never see but bots fill in or click.

Data poisoning is when a site decides you are probably a scraper and quietly feeds you wrong data instead of blocking you: fake prices, made-up reviews, incorrect stock counts, sli.

Anubis is a free, open-source MIT-licensed "gatekeeper" that sits in front of a website (a reverse proxy - software that intercepts requests before they reach the real server) and .

Behavioural bot detection is the part of anti-bot scoring that asks "how does this client act?" instead of "what is this client?".

A session cookie is an HTTP cookie with no Max-Age or Expires attribute, so the browser keeps it only in memory and throws it away when the browsing session ends.

Websites spot scrapers by gathering hundreds of small clues about each visitor, then scoring how human the whole picture looks.

An anti-scraping mechanism is any technical control a website uses to detect, slow down, or block automated requests (bots) instead of real people.

Headless browser detection is the set of probes anti-bot systems use to distinguish a headless or instrumented Chrome session from a real user's browser.

Browser fingerprinting is how a site combines signals — canvas, WebGL, audio, fonts, navigator probes, TLS (the encryption layer behind https, which has its own identifying pattern.

A useful first step when working with any protected site you are authorized to access is identifying which anti-bot vendor sits in front of it.

Cloudflare Bot Management is the enterprise-tier ML scoring system Cloudflare runs on every request to a protected zone.

Imperva Incapsula is the enterprise WAF and bot-protection product from Imperva (acquired by Thales in 2023).

AWS WAF Bot Control is a ready-made set of rules inside AWS WAF (Amazon's web application firewall — the security layer that filters traffic before it reaches a site) that de.

Forter is a fraud-and-trust platform that runs at e-commerce checkout — it is not a traditional anti-bot product.

Riskified is a chargeback-guarantee platform for e-commerce checkout.

WebGL fingerprinting reads identifying information directly from the GPU.

AudioContext fingerprinting plays a silent waveform through the Web Audio API, then reads back the resulting floating-point samples and hashes them.

Function.prototype.toString() inspection is a technique anti-bot scripts use to identify JavaScript functions that have been modified at runtime.

Font fingerprinting identifies a device by working out which fonts are installed on it and measuring how that device draws text.

Math fingerprinting identifies a browser by running math functions (sin, cos, tan, exp, log, pow) on fixed inputs and reading the very last bits of the answers.

Fingerprint lie detection is the practice of verifying that the signals a browser reports are internally consistent and untampered, rather than trusting them at face value.

Favicon fingerprinting (the "Supercookie" technique) abuses the browser's separate, long-lived favicon cache to store a persistent identifier that ordinary cookie controls do not c.

Browser extension detection infers which extensions are installed by probing for the resources and side effects they expose to web pages.

Sensor fingerprinting identifies a mobile device from the minute calibration errors in its motion and environment sensors.

Battery Status API fingerprinting used the precise charge level and charging/discharging times exposed by navigator.getBattery() as a short-lived device identifier.

Timing-based fingerprinting uses high-resolution clocks to measure how long operations take, turning microarchitectural and rendering behaviour into a hardware signature.

Fingerprint clustering is the practice of grouping fingerprints from millions of real visitors by similarity, then rejecting any new visitor whose fingerprint does not fall inside .

An anti-bot challenge is a small test a server makes your browser run — like proof-of-work (forcing the browser to burn some CPU on a puzzle), collecting a fingerprint (a profile o.

JA4 is a way to identify a browser by the fingerprint of its TLS handshake — TLS being the encryption layer behind https.

Residential proxy detection is how anti-bot systems spot traffic that is being routed through a residential proxy pool — a network of IP addresses that belong to real home internet.

Fingerprint entropy is a way to measure how much a browser attribute gives away about who you are, counted in bits.

WebGPU fingerprinting reads identifying data from the modern navigator.gpu API.

User-Agent Client Hints (UA-CH) are a set of structured HTTP headers plus a matching JavaScript API that report the same browser and operating-system facts the old User-Agent text .

A timezone/IP mismatch is when the location a browser claims and the location of its IP address disagree.

navigator.webdriver is a standardized boolean that returns true when the browser is being controlled by automation.

JA3 is a method for fingerprinting a TLS client by hashing the fields of its Client Hello.

HTTP/3 / QUIC fingerprinting identifies a client from the QUIC transport layer that HTTP/3 runs on.

Hardware fingerprinting reads device capability signals - CPU cores, RAM, and screen metrics - that JavaScript exposes directly.

CDP detection is the family of techniques anti-bot scripts use to tell that a browser is being driven through the Chrome DevTools Protocol (CDP).

Incognito detection is the set of techniques that reveal whether a browser is in private / incognito mode.

Media devices fingerprinting reads the list of cameras, microphones, and speakers a browser reports via navigator.mediaDevices.enumerateDevices().

Speech synthesis fingerprinting reads the list of text-to-speech voices exposed by window.speechSynthesis.getVoices().

Stack depth fingerprinting measures the maximum JavaScript recursion depth a browser allows before throwing a RangeError: Maximum call stack size exceeded.

CSS media query fingerprinting reads operating-system and device preferences through window.matchMedia().

Screen resolution fingerprinting reads the display measurements a browser reports - screen.width/height, availWidth/availHeight, colorDepth, devicePixelRatio, and the inner/outer w.