Bot Scanner Pro

Bot Scanner Pro is an advanced detection script that catches sophisticated AI browsers like Stagehand, Browserbase, and Playwright with stealth plugins that evade standard detection.

Why Pro?

Standard bot detection relies on signals that sophisticated automation tools have learned to fake:

navigator.webdriver can be masked
User agents can be spoofed
Chrome object properties can be patched

Bot Scanner Pro goes deeper by analyzing:

How users move their mouse (humans curve, bots go straight)
Click timing patterns (humans have delays, bots are instant)
Canvas and WebGL rendering (hardware fingerprints are hard to fake)
Audio context behavior (often mocked incorrectly)

Lite vs Pro Comparison

Feature	Lite	Pro
Script size	~12KB	~16KB
Detection latency	Immediate	Immediate + 5s behavioral
Best for	High-traffic pages	Login, checkout, sensitive pages

Detection Capabilities

Detection Type	Lite	Pro
WebDriver detection	✅	✅
Headless browser detection	✅	✅
AI crawler detection	✅	✅
Permission API mismatch	✅	✅
Chrome object consistency	✅	✅
Behavioral analysis	❌	✅
Canvas fingerprint hash	❌	✅
WebGL deep fingerprint	❌	✅
Audio context fingerprint	❌	✅
Mouse movement analysis	❌	✅
Click pattern analysis	❌	✅
Scroll velocity analysis	❌	✅
Keystroke dynamics	❌	✅

Expected Detection Rates

AI Browser Type	Lite	Pro
Stagehand + Browserbase	~20%	~60-70%
Playwright + Stealth	~40%	~75%
Basic Puppeteer	~70%	~90%
Commercial anti-detect	~10%	~40%

How Pro Detection Works

Two-Phase Detection

Pro uses a two-phase approach to maximize detection:

Page Load (0ms)
    │
    ├── Phase 1: Immediate Detection
    │   ├── Basic bot signals (webdriver, headless)
    │   ├── Canvas fingerprint hash
    │   ├── WebGL deep parameters
    │   ├── Audio context fingerprint
    │   └── Send detection if score > 20
    │
    ▼
User Interaction (5 seconds)
    │
    ├── Phase 2: Behavioral Analysis
    │   ├── Mouse movement patterns
    │   ├── Click timing analysis
    │   ├── Scroll velocity patterns
    │   ├── Keystroke dynamics
    │   └── Send behavioral update
    │
    ▼
Final Score Calculated

Why two phases?

Phase 1 catches bots that leave immediately
Phase 2 provides deep analysis for bots that stay
Combined data gives the most accurate detection

Detection Signals

Behavioral Analysis

Pro tracks mouse movements, clicks, scrolls, and keystrokes to detect non-human patterns:

Mouse Movement Signals

Signal	Points	What It Detects
Low mousemove count	+25	Fewer than 10 mouse events (bots often skip mouse simulation)
Linear paths	+20	Mouse moves in perfectly straight lines (humans curve)
Constant velocity	+15	No speed variation (humans accelerate/decelerate)
Grid-aligned moves	+15	Positions on exact coordinates (automation artifacts)

Click Signals

Signal	Points	What It Detects
Instant clicks	+30	No delay between mouse stop and click (humans have reaction time)
No pre-movement	+25	Clicks without preceding mouse movement (teleporting cursor)

Scroll Signals

Signal	Points	What It Detects
Constant scroll velocity	+10	Same speed throughout (humans vary)
Perfect scroll intervals	+10	Exact timing between scroll events

Keystroke Signals

Signal	Points	What It Detects
Constant typing rhythm	+15	No variation in keystroke timing
Superhuman typing speed	+20	Less than 30ms between keystrokes

WebGL Deep Fingerprinting

Signal	Points	What It Detects
SwiftShader renderer	+30	Software rendering (common in headless Chrome)
Mesa LLVMpipe renderer	+25	Software rendering on Linux
No unmasked renderer	+15	GPU info hidden (real browsers expose this)
Low extension count	+10	Fewer than 10 WebGL extensions

Audio Fingerprinting

Signal	Points	What It Detects
AudioContext unavailable	+15	API missing or blocked
Zero audio fingerprint	+25	Mocked AudioContext returns zero
Missing baseLatency	+10	Chrome 74+ should have this property
Unusual sample rate	+10	Not 44100 or 48000 Hz
Zero channel count	+15	Invalid audio configuration

Canvas Fingerprinting

Pro generates a unique hash from canvas rendering:

Draws specific shapes and text
Uses specific fonts and colors
Generates hash from the rendered output
Compares against known patterns

Headless browsers often have distinct canvas fingerprints due to software rendering.

Installation

Bot Scanner Lite

<script async src="https://cdn.webdecoy.com/bot-detection/v1/bot-detection.min.js"
        data-aid="your-organization-uuid"
        data-sid="your-scanner-uuid">
</script>

Bot Scanner Pro

<script async src="https://cdn.webdecoy.com/bot-detection/v1/pro/bot-detection-pro.min.js"
        data-aid="your-organization-uuid"
        data-sid="your-scanner-uuid">
</script>

Attributes

Attribute	Required	Description
`data-aid`	Yes	Your organization UUID
`data-sid`	Yes	Your bot scanner UUID
`data-endpoint`	No	Custom ingest endpoint (default: `https://ingest.webdecoy.com/api/v1/detect`)

When to Use Each

Use Lite When:

✅ High-traffic marketing pages
✅ Blog posts and content pages
✅ Public product listings
✅ Bandwidth/performance is critical
✅ You want basic bot protection

Use Pro When:

✅ Login and authentication pages
✅ Checkout and payment flows
✅ Account creation forms
✅ API endpoints receiving form data
✅ High-value transaction pages
✅ You’re seeing sophisticated bot attacks
✅ Lite detection is being bypassed

Recommended Strategy

Use both strategically:

Homepage (Lite)
    │
    ├── Product Pages (Lite)
    │
    ├── Login Page (Pro) ← High-value target
    │
    ├── Checkout (Pro) ← High-value target
    │
    └── Account Settings (Pro) ← Sensitive data

CDN URLs

Version	URL
Pro Minified	`https://cdn.webdecoy.com/bot-detection/v1/pro/bot-detection-pro.min.js`
Pro Source	`https://cdn.webdecoy.com/bot-detection/v1/pro/bot-detection-pro.js`
Lite Minified	`https://cdn.webdecoy.com/bot-detection/v1/bot-detection.min.js`
Lite Source	`https://cdn.webdecoy.com/bot-detection/v1/bot-detection.js`

Privacy Considerations

Bot Scanner Pro collects more data than Lite for detection purposes:

Data Type	Lite	Pro	Purpose
Browser properties	✅	✅	Basic detection
Mouse coordinates	❌	✅	Movement pattern analysis
Click positions	❌	✅	Click behavior analysis
Scroll positions	❌	✅	Scroll pattern analysis
Keystroke timing	❌	✅	Typing rhythm analysis
Canvas fingerprint	Basic	Full	Rendering consistency
WebGL parameters	Basic	Deep	Hardware fingerprinting
Audio fingerprint	❌	✅	Audio context verification

Important:

Data is used solely for bot detection scoring
No actual keystrokes are captured (only timing intervals)
Data is not used for user tracking or advertising
Consider your privacy policy when deploying Pro

Troubleshooting

Detection not sending

Check browser console for [WebDecoy] messages
Verify data-aid and data-sid attributes are set correctly
Ensure score threshold (20) is exceeded
Check network tab for requests to ingest endpoint

Low detection rate

Ensure behavioral phase has time to collect data (users need 5+ seconds on page)
Check that users interact with page (mouse movement, scrolling)
Review detection metadata to see which signals are triggering
Consider if bots are leaving before Phase 2 completes

CORS errors

Pro scripts are served with permissive CORS headers. If you see CORS errors:

Ensure you’re loading from cdn.webdecoy.com
Check if a proxy or CDN is stripping headers
Verify no browser extensions are blocking requests

Next Steps

Bot Scanners - General bot scanner documentation
Integrations - Connect to Cloudflare, Slack, webhooks
Threat Scoring - Understand how scores are calculated