Recipe

Recipe: Bot filtering + rate-limit layer

Stop scrapers, credential-stuffing bots, and aggressive crawlers before they touch your application logic. This recipe layers fingerprint challenges with token-bucket rate limiting at the edge.

Step 1 — Deploy the challenge endpoint

Create a serverless function that issues a signed challenge token after verifying a proof-of-work nonce. Store the token in an edge key-value store with a 30-second TTL.

Step 2 — Inject the interceptor

Add a middleware layer that inspects the X-Challenge-Token header. If absent or expired, redirect the client to the challenge endpoint with a 307 Temporary Redirect.

Step 3 — Configure the token bucket

Attach a per-IP token bucket to your edge router. Allow 10 requests per second with a burst of 20. Clients exceeding the limit receive a 429 response with a Retry-After header.

Step 4 — Monitor and tune

Log challenge-failure rates and 429 counts to your observability pipeline. Adjust the bucket parameters based on legitimate traffic patterns during peak hours.

Pro tip

Combine this recipe with the hardware-fingerprint layer to permanently ban repeat offenders without impacting legitimate users behind shared IPs.

← Fingerprint recipe Auto-update recipe →