Bot detection
A bot is automated, non-human traffic behind signup farms, click fraud, and ad-budget siphoning.
Step 1: Set up login and signup protection
Before anything else here, set up Signup protection and Login protection. They're the basis this builds on, and without them the policies below can be bypassed. With those in place, the rest of this guide covers the policies that keep automated traffic out.
Step 2: Add the policies
A policy has a trigger (the event it runs on) and a verdict. Add these in your policies dashboard:
| Policy | Trigger | Conditions | Verdict |
|---|---|---|---|
| Block datacenter traffic | login, signup, access | ip_is_hosting, or ip_is_proxy | Deny |
| Block fake devices | login, signup, access | is_simulator or is_emulator (native apps) | Deny |
| Challenge high bot risk | login, signup, access | bot risk is high (coming soon) | Challenge |
The bot-risk challenge lands with bot risk summaries (coming soon): when a request's bot risk is high, the policy issues a 2FA challenge that a real person clears and a bot can't. Until then, read the bot score off the evaluation in your own logic; the datacenter and device policies above work today.
Related
- Need help? Contact support.
- Want to see Rupt in action? Request a demo.
- Questions? Talk to sales.
- Check out our changelog.
- Check our status page.
- LLM? Read llms.txt.