How can we detect web request vs non-web (backend/curl/etc)?

I'm currently using the

origin

origin

origin

origin header as part of our access control strategy but realized this header can be set via non-web clients. Is there a strategy to detect requests coming from the web vs curl-type or backend environments?

rdutton•8/30/24, 5:37 AM

If you use the browser developer tools (F12/inspect) click the network tab, right-click on a request and select 'copy as cURL' you can effectively paste that into your terminal to create the exact request your browser makes.. so, no there is no real way to distinguish between cURL VS someone's browser

tibotiberOP•8/30/24, 6:21 AM

Thanks for the reply. That’s my understanding as well but I’m hoping cloudflare has some secret sauce exposed in the cf parameters. Maybe something related to the work they do on bot detection etc.

tibotiberOP•8/30/24, 6:22 AM

Am i too optimistic here?

tibotiberOP•8/30/24, 1:33 PM

Sure but does it help with this?

tibotiberOP•8/30/24, 2:37 PM

So what I’m trying to identify is how bot management would work in this case. Do I get to use the data in my worker code? Does it give me a clear web client vs other? Is it deterministic or probabilistic? Maybe you have some pointers on that? Sorry I’m starting from 0 here

How can we detect web request vs non-web (backend/curl/etc)?

Similar Threads

Similar Threads

Similar Threads