Bot detection is the practice of distinguishing automated, non-human web traffic from genuine human visitors by analysing browser environment signals, interaction patterns, and hardware characteristics. It protects applications from credential stuffing, content scraping, inventory hoarding, ad fraud, and other automated abuse.
Effective bot detection draws on multiple signal categories. Hardware and environment signals reveal whether the browser is running on real consumer hardware or in a server-side or virtual environment. Behavioural signals capture how a session interacts with the page. Cross-signal consistency checks expose forged environments where the declared hardware profile contradicts what the browser actually produces.
Bot detection is not binary. Rather than a hard yes-or-no classification, most production systems produce a risk score that reflects confidence in the automated-versus-human assessment. This score is combined with application context, such as the action being attempted and the account history, to make an access or challenge decision.
In doorman-benny
doorman-benny exposes `automation.automationLikelihood` on the result object (low, medium, or high), aggregating hardware and environment signals to estimate whether a session is being driven by automation rather than a real user.
Automation scoring (docs)Frequently asked questions
What is the difference between bot detection and CAPTCHA?
CAPTCHA challenges the user to perform a task that is easy for humans but hard for automated systems. Bot detection analyses the browser and session signals passively, without interrupting the user experience. The two are complementary: passive detection can trigger a CAPTCHA challenge only when the risk score exceeds a threshold.
Can bots evade fingerprint-based bot detection?
Sophisticated bots use anti-detect browsers or headless browser hardening to reduce detectable signals. However, maintaining a perfectly consistent hardware profile that matches a genuine device across all simultaneously checked signals is very difficult, and cross-signal consistency analysis exploits this challenge.
Does bot detection affect real users?
Fingerprint-based bot detection runs passively in the background and has no visible impact on legitimate users. The signal collection happens during normal page load without any user-facing interaction. Only sessions that exceed a configured risk threshold are subjected to additional friction or blocking.
