Protect a Laravel app from bots

Add explainable bot detection to a Laravel app with a small middleware that fetches a verdict by session token and blocks or challenges automated clients. The browser is fingerprinted by the collector tag; your backend decides. See the live demo for the signals behind a verdict.

1. Add the collector tag

In your Blade layout (e.g. resources/views/layouts/app.blade.php), before </body>:

<script src="https://detectip.ai/collector.js" data-key="pk_live_..."></script>

This sets a first-party botd_token cookie the server can read.

2. Store your secret key

In .env:

DETECTIP_KEY=sk_live_...

3. Create the middleware

app/Http/Middleware/BotGuard.php:

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Http;

class BotGuard
{
    public function handle(Request $request, Closure $next)
    {
        $token = $request->cookie('botd_token');
        if (!$token) {
            return $next($request); // nothing to check yet
        }

        try {
            $res = Http::timeout(2)
                ->withHeaders(['X-API-Key' => env('DETECTIP_KEY')])
                ->get('https://detectip.ai/api/v1/verdict', ['token' => $token]);
        } catch (\Throwable $e) {
            return $next($request); // fail open on network error
        }

        if ($res->ok() && $res->json('action') === 'block') {
            abort(403, 'Request blocked.');
        }

        return $next($request);
    }
}

4. Register and apply it

In app/Http/Kernel.php add to $middlewareAliases:

'botguard' => \App\Http\Middleware\BotGuard::class,

Then protect sensitive routes:

Route::post('/register', [RegisterController::class, 'store'])->middleware('botguard');
Route::post('/comment', [CommentController::class, 'store'])->middleware('botguard');

5. Challenge instead of block (optional)

For borderline traffic, branch on the recommended action: block -> 403, challenge -> redirect to a proof-of-work/CAPTCHA page, allow -> continue. The action is computed from your configured thresholds.

Why fingerprints beat UA sniffing

detectip.ai scores TLS (JA4), HTTP/2 frames, IP intelligence and behavior together, so a faked User-Agent on a non-browser stack is caught and every signal is shown. Background: JA4 fingerprinting explained.

FAQ

Does this hurt SEO? No — declared search crawlers are verified by reverse DNS and not blocked. See fraud prevention.

What if the API is slow? The timeout(2) + try/catch fails open, so your app never hangs on detection.

Get a key: free tier at signup; full reference in the API docs.