alt Hacker Newswhy is bot detection even happening at render time instead of request time. why can't tell you’re a bot from your headers, UA, IP, TLS fingerprint. imo making it a surveillance. 'you're a bot, ok not just go away, let’s fingerprint your GPU and assign you a behavioral risk score anyway'
It's really hard to detect it at request time. It's practically trivial for an attacker to fake headers to resemble a real browser.