Bots make up a large share of web traffic, and not all of it is bad. The goal isn't to block everything automated — it's to filter the harmful traffic while letting real users and good bots through. Here's a layered approach.
Layer 1: network signals (cheap, hard to fake)
Start at the connection. Network fingerprints (JA4/JA4H/JA4T/QUIC) reveal whether the client's TLS/HTTP stack matches a real browser, even when the User-Agent lies. IP intelligence (datacenter ASN, proxy/VPN flags) adds context. See JA4 explained.
Layer 2: automation tells
navigator.webdriver, CDP artifacts, missing browser entropy and headless quirks catch off-the-shelf automation cheaply.
Layer 3: behavior
Mouse/keystroke dynamics, timing and interaction entropy separate humans from scripts — useful for the automation that passes layers 1-2.
Layer 4: reputation & velocity
Track fingerprint/IP/ASN history: a fingerprint seen across many IPs in minutes, or an ASN dominated by abuse, raises risk. This catches distributed attacks that any single request would pass.
Combine into one explainable score
No single layer is decisive. Sum the signals into a score with a recommended action — allow, challenge, block — and tune the threshold per route. detectip.ai does exactly this and shows which signals fired, so you can defend every decision. See the live demo.
Don't punish good bots
Verify declared crawlers (search engines) so you don't block traffic you want. Apply rate limits to unknown automation instead of hard blocks where possible.
FAQ
Do I need CAPTCHAs? Often not — see bot detection without CAPTCHA.
Where do I start? Add network fingerprinting + IP intelligence first; it's the highest-leverage layer. Get a free key.