Client-Side Detection

Bot Scanner

JavaScript-based detection that analyzes browser characteristics and behavior to identify automated tools, headless browsers, and bots. Calculates a threat score from 0-100 for every visitor.

Start Scanning Opens in a new tab View Documentation
Bot Scanner Detection
// Visitor loads page
// → Scanner JavaScript executes
// → Bot score calculated (0-100)
// → Detection sent to WebDecoy

{
  "visitor_id": "v_abc123",
  "bot_score": 78,
  "signals": {
    "webdriver": true,
    "headless": true,
    "canvas_anomaly": true,
    "mouse_entropy": 0.12
  },
  "verdict": "bot"
}

How Bot Scanner Works

A lightweight JavaScript that runs client-side, analyzing dozens of signals to determine if a visitor is human or bot.

1

Page Load

Visitor loads your page with the scanner script

2

Signal Collection

Scanner analyzes browser, behavior, and fingerprints

3

Score Calculation

Threat score (0-100) calculated from signals

4

Detection Sent

Results sent to WebDecoy for action

Sensitivity Levels

Configure how aggressively the scanner flags visitors as bots.

Low

70+ score

Catches obvious automation. Minimal false positives.

Medium

Recommended

50+ score

Balanced detection vs false positives. Recommended for most sites.

High

30+ score

Maximum detection. Higher false positive risk.

Detection Methods

What Bot Scanner Analyzes

Multiple detection methods combine to create a comprehensive bot score. No single signal is definitive—it's the combination that matters.

WebDriver presence (navigator.webdriver)
Missing browser plugins
Canvas fingerprint anomalies
WebGL renderer inconsistencies
Audio context fingerprinting
Font enumeration patterns
Timezone/language mismatches
Mouse movement entropy
Scroll behavior patterns
Form interaction timing
Scanner Installation
<!-- Add to your HTML -->
<script
  src="https://cdn.webdecoy.io/scanner.js"
  data-scanner-id="scn_your_id"
  async
></script>

<!-- Scanner auto-detects and reports -->
<!-- No additional code required -->

Detection Capabilities

WebDriver Detection

Detect Selenium, Puppeteer, and Playwright through WebDriver presence and automation markers.

Headless Browser Detection

Identify headless browsers via missing plugins, canvas fingerprinting anomalies, and WebGL inconsistencies.

AI Crawler Identification

Detect GPTBot, ClaudeBot, Google-Extended, PerplexityBot, CCBot, and other AI training crawlers.

Behavioral Analysis

Monitor mouse movements, scroll patterns, and form-filling speed to distinguish humans from bots.

Browser Fingerprinting

Canvas rendering, WebGL renderer, audio context, font enumeration, and timezone/language analysis.

Honeypot Integration

Auto-inject hidden form fields and display:none links that only bots interact with.

Auto-Injected Honeypots
<!-- Form honeypot (auto-injected) -->
<input
  type="text"
  name="website_url"
  style="position:absolute;left:-9999px"
  tabindex="-1"
  autocomplete="off"
/>

<!-- Link honeypot (auto-injected) -->
<a
  href="/trap/admin-access"
  style="display:none"
  aria-hidden="true"
></a>

// If bot fills hidden field or clicks
// hidden link → instant detection
Built-In Traps

Automatic Honeypot Injection

Bot Scanner automatically injects hidden form fields and links that only bots will interact with. Humans never see them, but bots filling every field or clicking every link instantly reveal themselves.

Form Honeypots

Hidden inputs positioned off-screen. Bots that fill them are flagged immediately.

Link Honeypots

Display:none anchor tags to decoy paths. Only bots parsing HTML will find and follow them.

Enhanced Detection

Bot Scanner Pro

For sophisticated AI browsers like Stagehand and Browserbase, Pro implements two-phase detection: immediate signals plus 5-second behavioral updates.

Deeper behavioral tracking
Full canvas fingerprinting
Comprehensive WebGL analysis
Audio fingerprinting
Two-phase detection (immediate + behavioral)
Pro Detection Flow
// Phase 1: Immediate (0ms)
{
  "phase": 1,
  "signals": {
    "webdriver": false,
    "headless_markers": 2,
    "canvas_hash": "abc123..."
  },
  "preliminary_score": 45
}

// Phase 2: Behavioral (+5s)
{
  "phase": 2,
  "signals": {
    "mouse_entropy": 0.08,
    "scroll_pattern": "linear",
    "keystroke_timing": "uniform"
  },
  "final_score": 82,
  "verdict": "ai_browser"
}

Why Client-Side Bot Detection Matters

Server-side detection misses critical signals that only the browser can provide.

Server-Side Only

  • IP address and geolocation
  • User agent string
  • Request headers
  • TLS fingerprint
  • No browser behavior data
  • No JavaScript execution analysis

Client-Side + Server-Side

  • All server-side signals
  • WebDriver and automation markers
  • Canvas and WebGL fingerprints
  • Mouse and keyboard behavior
  • Form interaction timing
  • Headless browser detection

Learn More About Bot Detection

Deep dives into headless browser detection and behavioral analysis.

Headless Browser Detection Guide

Technical deep dive into detecting Playwright, Puppeteer, and Selenium automation.

Bot Scanner Pro: AI Browser Detection

How two-phase detection catches Stagehand, Browserbase, and stealth plugins.

Detect AI Scrapers: GPTBot & ClaudeBot

Stop AI crawlers from scraping your content with behavioral analysis.

See also: Decoy Links for honeypot traps, Node.js SDK for server-side verification, and Threat Scoring for automated responses.

Frequently Asked Questions

Common questions about JavaScript bot detection and browser fingerprinting.

How does JavaScript bot detection work?

Bot Scanner runs as a lightweight JavaScript snippet on your web pages. It analyzes dozens of browser signals including navigator.webdriver presence, canvas fingerprinting, WebGL renderer data, plugin enumeration, and behavioral patterns like mouse movements and scroll behavior. These signals are combined to calculate a threat score from 0-100.

Can Bot Scanner detect Playwright, Puppeteer, and Selenium?

Yes. Bot Scanner specifically targets automation frameworks like Playwright, Puppeteer, and Selenium by detecting WebDriver markers, headless browser signatures, and automation-specific JavaScript properties. Even with stealth plugins enabled, these tools leave detectable traces.

What is browser fingerprinting and how does it detect bots?

Browser fingerprinting collects unique characteristics of a browser including canvas rendering output, WebGL renderer strings, audio context data, installed fonts, and hardware specifications. Bots often have inconsistent or missing fingerprint data that differs from real browsers.

Will Bot Scanner slow down my website?

No. The scanner script is lightweight (under 20KB gzipped) and loads asynchronously so it does not block page rendering. Detection runs in the background and sends results to WebDecoy without affecting user experience or page load times.

What is the difference between Bot Scanner and Bot Scanner Pro?

Bot Scanner provides immediate detection of common automation tools. Bot Scanner Pro adds two-phase detection: immediate signals plus 5-second behavioral tracking. This catches sophisticated AI browsers like Stagehand and Browserbase that evade standard fingerprinting through advanced human behavior simulation.

Ready to detect headless browsers and AI scrapers?

Start with client-side bot detection that catches Playwright, Puppeteer, and Selenium automation.

Get Started Free