Bot detection is the process of distinguishing automated traffic from real human users based on behavioral, environmental, and network signals collected during a session. Done well, it blocks scraping, credential stuffing, and form abuse without adding meaningful friction for legitimate visitors.
The challenge is that bots have gotten better. Headless browsers render JavaScript, residential proxies rotate IP addresses, and solver farms complete visual puzzles in seconds. Effective detection now relies on layered signals rather than any single check.
The Core Signal Categories
Bot detection systems typically combine three families of signals.
Behavioral signals
These are patterns produced by how someone interacts with a page before submitting a form or clicking a button:
- Mouse movement entropy — Humans rarely move a cursor in a straight line. Bots using automated drivers often produce geometric paths or no movement at all.
- Keystroke timing — The inter-key delay distribution for human typing follows a rough statistical pattern. Scripted input tends to be either perfectly uniform or instantaneous.
- Scroll and focus events — A real user typically scrolls, changes tabs, or lets the window sit idle. Sessions with zero interaction events before a form submit are suspicious.
- Touch pressure and gesture variance (mobile) — Touchscreen interactions have natural variance in pressure, angle, and speed that scripted tap events rarely replicate.
Environmental signals
These come from the client runtime rather than user behavior:
- Navigator and screen properties — Headless Chrome and other automation frameworks expose detectable fingerprints in
navigator.webdriver, missing plugin arrays, or unusual screen dimensions. - Canvas and WebGL rendering — GPU-rendered graphics are slightly different across real hardware combinations. Bots running in containers often produce identical or near-identical fingerprint hashes.
- Font enumeration — The set of fonts installed on a device varies by OS version and user configuration. A machine with no installed fonts is unusual.
Network and reputation signals
- IP reputation databases flag known data-center ranges, Tor exit nodes, and previously abusive addresses.
- ASN classification separates residential ISPs from hosting providers.
- Request rate and timing patterns at the edge can reveal coordinated bot traffic even before JavaScript runs.
Static Rules vs. Machine Learning Models
Early CAPTCHA systems relied almost entirely on static rules: block this IP, require a puzzle above a threshold challenge score. Rules are transparent and fast, but attackers can enumerate them.
Modern bot detection layers a statistical model on top. The model is trained on labeled sessions (confirmed human vs. confirmed bot) and scores each new session against learned feature weights. This makes the system harder to reverse-engineer because the exact decision boundary is not public.
| Approach | Strengths | Weaknesses |
|---|---|---|
| IP blocklists | Fast, cheap to run | Ineffective against residential proxies |
| Static behavioral rules | Predictable, auditable | Easily evaded once enumerated |
| ML scoring | Adapts to new attack patterns | Requires training data, can drift |
| CAPTCHA challenge | User-verifiable, low false negatives | Adds friction, solvable at scale |
| Combined / layered | High accuracy, hard to evade | More complex to operate |
Most production systems use all four in sequence: filter obvious bad traffic early, run passive scoring, and only fall back to an interactive challenge when the score is ambiguous.
How Server-Side Validation Fits In
Client-side detection alone can be spoofed by an attacker who understands what signals your widget collects. The safer pattern is to have the client produce a short-lived token after a successful challenge, then validate that token server-side before processing the request.
CaptchaLa follows this pattern. After the widget completes a challenge, it hands back a pass_token. Your backend then validates it:
POST https://apiv1.captcha.la/v1/validate
X-App-Key: <your-app-key>
X-App-Secret: <your-app-secret>
Content-Type: application/json
{
"pass_token": "<token-from-widget>",
"client_ip": "203.0.113.42" // optional, improves accuracy
}The server checks the token's signature, expiry, and the IP against its own signals before returning a pass/fail. This means even if an attacker reverse-engineers the client widget, they still need a valid server-issued token that hasn't expired.
For fully server-rendered flows (no browser widget), there's also a server-to-server challenge issuance endpoint at POST https://apiv1.captcha.la/v1/server/challenge/issue, which lets the backend gate an action without any front-end component.
Comparing the Main CAPTCHA and Bot Detection Services
Most teams evaluate a handful of well-known options before choosing one.
Google reCAPTCHA v3 scores sessions invisibly and returns a float between 0 and 1. It integrates easily but ties your user data to Google's infrastructure, which is a concern for privacy-focused applications.
hCaptcha offers image-based challenges with an optional privacy-preserving mode. It has become a common drop-in replacement for teams that want to avoid Google but still want a mature challenge library.
Cloudflare Turnstile is a good fit if you're already routing traffic through Cloudflare. It runs a proof-of-work challenge and is free within Cloudflare's ecosystem, though it ties detection logic to Cloudflare's network visibility.
CaptchaLa is designed for teams that need multi-platform SDK support without sending user data to a third-party advertising network. It ships native SDKs for Web (JS, Vue, React), iOS, Android, Flutter, and Electron, with server-side libraries for PHP (captchala-php) and Go (captchala-go). For mobile specifically, the Maven artifact (la.captcha:captchala:1.0.2), CocoaPods pod (Captchala 1.0.2), and pub.dev package (captchala 1.3.2) cover most mobile stacks. The widget is loaded via https://cdn.captcha-cdn.net/captchala-loader.js and supports eight UI languages out of the box. All signal data stays first-party.
The right choice depends on your threat model, platform mix, and data residency requirements — not on which service has the most brand recognition.
What "Good Enough" Actually Looks Like
There's no detection system that catches 100% of bots with 0% false positives. The practical goal is to raise the cost of attack high enough that the expected return drops below the attacker's threshold.
For most web forms, that means:
- Passive behavioral scoring on every session — no added friction for clean traffic.
- A lightweight interactive challenge (audio or visual) only when the passive score is ambiguous.
- Server-side token validation before writing any state to the database.
- Rate limiting and IP reputation checks at the edge, independent of the CAPTCHA layer.
Layer 4 matters because if an attacker is sending thousands of requests per minute, you want to throttle them before they even touch your application server, regardless of whether they can solve a puzzle.
If you're evaluating options for your stack, the CaptchaLa docs have integration guides for each SDK, and the pricing page covers the free tier (1,000 validations/month) through Business plans at 1M+ validations.