Blog
Writing on request fingerprinting, browser bot detection, and running it in production.
-
RQ4-S: detecting cookie-reuse handoff in session-level header analysis
The cookie-reuse handoff attack, real browser solves a JS challenge, hands the session cookie to a bot, bot replays, defeats per-request detection because each individual request looks legitimate. RQ4-S catches it via session-level header consistency.
-
Bot detection middleware for Next.js App Router
Three patterns for blocking automation traffic in Next.js: external fraud-check API call, inline header analysis, and deferred verdict for AI-SaaS signup flows. Code samples for App Router middleware on Edge Runtime.
-
Detecting curl_cffi after TLS impersonation: the ClientHello length signal
curl_cffi reproduces a target browser's TLS ClientHello at the cipher and extension level but leaves a detectable pattern in raw handshake length. Why JA3-only detection misses curl_cffi traffic and what survives correct impersonation.
-
Comparing fraud-check APIs: FingerprintJS, IPQualityScore, Castle, MaxMind
Honest side-by-side of fraud-check APIs at the indie-hacker and small-SaaS price tiers. What signal layers each ships, integration model, and which gaps each leaves open. Updated 2026-06.
-
Cloudflare Workers normalizes Accept-Encoding before your handler sees it
Workers rewrites the Accept-Encoding header to a fixed subset (br, gzip) before your fetch handler runs, regardless of what the client actually sent. The original is preserved in request.cf.clientAcceptEncoding.
Stay updated
We publish on request fingerprinting, browser bot detection, and running it in production. Drop your email for new posts.