在 Cloudflare Workers 上检测机器人

You can call the detectip.ai verdict API from a Cloudflare Worker to gate traffic at the edge — useful when you want bot decisions before requests reach your origin. The browser is fingerprinted by the collector tag; the Worker reads the session cookie and fetches a verdict. See the live demo for the signals involved.

1. Add the collector tag to your site

<script src="https://detectip.ai/collector.js" data-key="pk_live_..."></script>

It sets a first-party botd_token cookie the Worker can read.

2. Store the secret key

npx wrangler secret put DETECTIP_KEY

3. The Worker

src/index.js — gate only sensitive paths, and fail open so detection never takes the site down:

const GUARDED = ["/register", "/login", "/checkout"];

export default {
  async fetch(request, env) {
    const url = new URL(request.url);
    if (!GUARDED.includes(url.pathname)) {
      return fetch(request); // pass through
    }

    const token = (request.headers.get("Cookie") || "")
      .match(/botd_token=([^;]+)/)?.[1];
    if (!token) return fetch(request);

    try {
      const r = await fetch(
        `https://detectip.ai/api/v1/verdict?token=${encodeURIComponent(token)}`,
        { headers: { "X-API-Key": env.DETECTIP_KEY } }
      );
      if (r.ok) {
        const v = await r.json();
        if (v.action === "block") {
          return new Response("Forbidden", { status: 403 });
        }
        // optionally: if (v.action === "challenge") return challenge();
      }
    } catch (_) {
      // fail open on any edge error
    }
    return fetch(request);
  },
};

4. Pass the score to your origin (optional)

Instead of blocking at the edge, add a header (e.g. request.headers.set("X-Bot-Score", v.score) via a new Request) and let your origin decide per route. This keeps enforcement logic in one place.

Edge vs origin

Edge gating stops bad traffic before your origin, but adds a hop to the verdict API. Keep it to high-value paths and short timeouts. For full-app coverage with less latency sensitivity, enforce at the origin — see the Express middleware guide.

FAQ

Does this replace Cloudflare Bot Management? It's an explainable, portable alternative you control — see Cloudflare Bot Management alternatives. You can run it without enabling the managed product.

What about good bots? Declared crawlers are verified by reverse DNS and not blocked.

Get a key: free tier at signup; full reference in the API docs.