How to Block Bots Using JavaScript (And Why It's Not Enough)
JavaScript-based bot detection is a useful first layer — but sophisticated bots bypass it easily. Here's what it can and can't do, and what to add on top.
What JavaScript bot detection can do
Browser fingerprinting, headless browser detection (checking for navigator.webdriver), honeypot field injection, mouse movement analysis, and challenge-response tokens. These techniques catch simple bots running raw HTTP requests.
What JavaScript bot detection cannot do
It cannot stop server-to-server attacks, rate-limit abuse at the network layer, detect bots that execute JavaScript correctly (modern headless Chrome does), or protect endpoints that are called directly without a browser.
Stop bots at the network layer, not just the browser.
UebGuard blocks bots before JavaScript even loads — no client-side code required.
No credit card required. Results in 10 seconds.
Detecting headless browsers with JavaScript
Check navigator.webdriver (true in unpatched Puppeteer/Playwright), window.chrome presence, plugins array length (0 in headless Chrome), and screen dimensions. Sophisticated bots patch these — but it still filters unsophisticated scrapers.
The right layered approach
JavaScript detection catches unsophisticated bots at the browser layer. A network-layer WAF or bot manager like UebGuard catches everything else — including bots that skip the browser entirely and call your API directly. Layer them for maximum coverage.
Stop bots at the network layer, not just the browser.
UebGuard blocks bots before JavaScript even loads — no client-side code required.
No credit card required. Results in 10 seconds.