Security Guide
Bot Traffic vs Human Traffic: How to Tell the Difference
A reliable bot strategy does not try to block every automated request. It combines identity, network, browser, behavior, and business signals so legitimate visitors and useful crawlers can keep moving.
If your analytics suddenly show a traffic spike, the first question is usually: is this a wave of customers, a useful crawler, or an automated attack? The answer matters. Blocking all bots can damage search visibility and integrations, while trusting every browser-looking request can expose login, checkout, search, and API endpoints to scraping, credential stuffing, and denial of service.
The practical answer is not a single bot detector. Human traffic and bot traffic overlap: a person may use a browser extension, a mobile app, or a privacy network, while a bot can execute JavaScript, keep cookies, and rotate its IP address. Treat classification as a risk decision, not a permanent label.
Start with the threat model
List the automated behavior that would hurt your business before choosing a rule. OWASP's Automated Threats to Web Applications project describes scraping, credential stuffing, account creation, scalping, denial of inventory, and metric skewing as distinct threats. They do not have the same indicators or response.
- Scraping consumes content and bandwidth, often with broad, repeatable URL coverage.
- Credential stuffing targets login or password reset routes with many accounts and low success rates.
- Inventory abuse concentrates on search, cart, reservation, or checkout flows.
- Denial of service may target expensive pages, APIs, or infrastructure rather than a single account.
- Useful automation includes search crawlers, uptime checks, accessibility tools, and approved integrations.
Map each threat to the routes, data, identities, and upstream costs it can affect. Your policy should be stricter on a password reset endpoint than on a public article, and stricter on a stock reservation than on a product image.
Do not use one signal as proof
A User-Agent string, source IP, hosting provider, cookie, or JavaScript result can be forged, shared, or changed. Combine independent signals and make high-impact decisions only when the evidence is strong.
Signals that improve classification
1. Treat identity claims as a starting point
The User-Agent header is useful for grouping traffic, but it is self-declared. A client can claim to be a browser, a search crawler, or an AI agent without being one. If you allow a known crawler, verify it using the crawler owner's documented method, such as a published reverse-DNS and forward-DNS check where available. Do not allow a crawler based on a matching string alone.
IP address and ASN add context, not certainty. Cloud infrastructure can host legitimate services and abusive automation in the same ranges. Residential and mobile networks can also produce many unrelated visitors behind shared addresses. Use network reputation as one input and avoid broad blocks that punish an entire provider or country without a business reason.
2. Observe client consistency
Real browsers typically produce a coherent request profile: modern TLS and HTTP behavior, plausible headers, accepted content types, cookies that persist between requests, and browser navigation signals that fit the route. Automation may show impossible combinations, missing browser headers, a fixed fingerprint across many accounts, or a high rate of requests with no normal page sequence.
These are indicators, not a license to fingerprint everyone indefinitely. Collect only what the risk requires, document the purpose, protect the data, and set a retention period. For sensitive flows, a short-lived risk signal is usually more appropriate than a permanent device identity.
3. Measure behavior and velocity
Look at sequences instead of isolated requests. Examples include hundreds of product pages in a predictable order, login attempts spread across many usernames, repeated password resets, or a checkout flow completed too quickly to be plausible. Compare request rate by route, session, account, IP, ASN, device signal, and outcome.
Behavior becomes more useful when joined to business events. A visitor who reads pages and completes a purchase should not be treated like a client that requests every SKU but never loads assets or submits a valid session. Use rate limiting to contain velocity while your detection improves.
Build a graduated response
Use confidence bands rather than an immediate allow-or-block rule:
- Low confidence: log the signal and serve normally.
- Suspicious: reduce request speed, add a lightweight step-up, or restrict only the expensive action.
- High confidence: block the route, session, credential, or automation source that is causing harm.
- Known good: allow the documented crawler or integration, but keep a separate rate and error budget.
The response should fit the threat. A public scraper may receive cached content or a slower response. A credential attack should get a generic failure and strong limits on both the source and targeted account. A search crawler should receive the content it is authorized to crawl, not an unrestricted pass to account or checkout routes.
An edge control can reduce unwanted traffic before it reaches the application, but business logic still belongs in the application. A bot management policy can identify patterns; the application must still enforce account ownership, purchase limits, authorization, and fraud checks. For APIs, combine the edge decision with authentication, schema checks, and quotas as described in API protection.
Roll out without breaking customers
Begin in observe-only mode. Create a dashboard with requests by route, status, country, ASN, client category, response time, authentication result, and decision reason. Sample real sessions from major devices, networks, regions, crawlers, and partners. Test login, search, checkout, APIs, and accessibility journeys rather than relying on the homepage.
Next, apply a narrow rule to one high-risk route. Compare false positives, successful logins, conversion steps, crawler coverage, support reports, and origin load before expanding. Keep an emergency bypass that is authenticated, audited, time-limited, and unavailable to ordinary request headers. Review rules after launches, promotions, mobile-app releases, and partner changes.
Common mistakes
- Blocking every cloud ASN or data-center IP, which also blocks legitimate integrations and security tools.
- Trusting
User-Agent,Referer, or a client-side cookie as an identity proof. - Applying one global threshold to static pages, login, APIs, and checkout.
- Returning detailed failure reasons that help an attacker tune the next request.
- Treating a CAPTCHA as the primary control instead of using risk-based step-up only when needed.
- Keeping raw fingerprints or IP data forever without a privacy and retention decision.
- Measuring only request counts and ignoring successful logins, orders, errors, latency, and origin resource use.
For a broader control plan, pair this guide with Rate Limiting Explained, API Protection at the Edge, and the security headers checklist.
Authoritative references
- OWASP Automated Threats to Web Applications
- OWASP Bot Management and Anti-Automation Cheat Sheet
- Google crawler verification guidance
There are only two hard things in Computer Science: cache invalidation and naming things.
Need a clearer view of your traffic?
Talk to our team about a measured, layered approach to bots, APIs, and edge security.
Contact Optimi