Bot Detection Test

Browser fingerprinting is a technique that collects various attributes exposed by your browser to create a unique identifier for your device. This includes data such as screen resolution, installed plugins, timezone, language settings, WebGL renderer details, user agent string, and many other signals. When combined, these attributes form a "fingerprint" that is often unique enough to distinguish one browser from another, even without cookies or login sessions. This test uses fingerprinting to assess whether a visitor appears to be a real human user or a potential automated bot.

The test analyzes dozens of browser signals and looks for inconsistencies commonly found in automated environments. It checks for known headless browser indicators (WebGL, canvas, screen dimensions, etc.), spoofed user agents, automation properties left by tools like Selenium or Puppeteer, and missing feature APIs that real browsers always expose. Each suspicious signal contributes points to a cumulative risk score from 0 to 100, where higher scores indicate a greater likelihood of bot activity.

This script provides a solid first layer of defense focused on browser identification and fingerprinting, but effective bot protection typically requires a multi-layered approach. Browser fingerprinting can detect headless browsers, spoofed user agents, and automation tools, but sophisticated bots may evolve to bypass client-side checks alone. For comprehensive protection, we recommend combining browser fingerprinting with additional layers such as IP reputation analysis to identify known malicious and suspicious IP addresses, geolocation and proxy detection to flag suspicious traffic origins, email reputation checks to verify user identities during sign-ups, and user behavior analysis to detect non-human interaction patterns, multiple accounts and historical suspicious behaviors. Each layer catches threats that others might miss, and together they create a much stronger defense against automated abuse.

Client-side bot detection is inherently heuristic-based, which means false positives are possible in certain edge cases. For example, users with unusual browser configurations, privacy-focused extensions, or older browser versions may trigger some signals. Similarly, browsers running inside virtual machines or with strict privacy settings may appear slightly suspicious. The risk score is designed to be conservative: a real human user on a standard browser should consistently score 0. The test is most reliable when multiple signals converge, as sophisticated bots typically fail across several checks simultaneously.

The test collects a wide range of browser-exposed attributes organized into several categories: screen properties (resolution, color depth, pixel ratio), time and locale settings, HTTP request headers (user agent, accept-language, client hints), navigator properties (platform, language, plugins, hardware concurrency, device memory), browser kernel detection (engine type, version, and mismatch analysis), WebRTC capabilities and public IP detection, WebGL renderer details, and extra signals including Web Audio API, SpeechSynthesis, canvas rendering, and Bluetooth API.

A "tampered" browser means the test detected inconsistencies between what your browser claims to be and what it actually supports. For example, if your user agent says you are running Chrome but the browser lacks Chrome-specific features like the window.chrome object or Google speech synthesis voices, it suggests the user agent has been spoofed. Other tamper signals include missing Firefox-specific properties on a Firefox user agent, and kernel engine mismatches.

No. This tool runs entirely in your browser using client-side JavaScript. All fingerprinting, analysis, and risk scoring happen locally on your device. No browser data, fingerprint results, or personal information is sent to our servers or shared with any third party. The only external network requests made by the tool are to public STUN servers (for WebRTC IP detection) and to a public IP lookup service (to determine your remote IP address). Currently the test does not perform IP address analysis via our APIs.

A high risk score can result from several factors. Common causes include: using a browser with strict privacy settings that disable APIs like WebGL or Web Audio, running inside a virtual machine with limited device memory, having browser extensions that modify the user agent string or block JavaScript APIs, using an outdated browser that lacks modern features the test checks for, or accessing the page through an automated testing framework. Check the individual risk reasons listed below the score to see exactly which signals contributed to your result. Each reason includes its point value so you can understand the relative weight of each finding. Please note that this is an experimental test.

No, this test is entirely a client-side analysis of your browser's JavaScript properties and capabilities. It does not perform any server-side IP analysis such as reputation checks, geolocation, or proxy detection. In future, we may enhance this test with results from our IP Reputation API. The remote IP address shown in the results is obtained client-side by querying the public API service api.ipify.org or icanhazip.com. The test will also connect to a public STUN server for WebRTC detection.

The tool was created to test bot detection by primarily checking browser properties and other signals client-side, and is intended for testing purposes only. While the detection methods used are based on well-established fingerprinting techniques, the specific thresholds, risk scoring weights, and signal combinations are continuously being refined. Browser vendors regularly update their APIs and behaviors, which can affect detection accuracy over time. The tool should be used as one data point among many in a comprehensive bot detection strategy, rather than as a definitive classification system. We encourage users to contact us and provide feedback to help improve detection accuracy.