Roadmap

Series

Trusting the Client

Kasada, Akamai, DataDome — every client-side bot defense layer fails for the same structural reason: the browser is attacker-controlled territory. Five parts dissecting TLS fingerprinting, environment probing, behavioral telemetry, token rotation, and the runtime trust problem.

  1. TLS Fingerprinting — The First Gate

    TLS fingerprinting catches automation tools by their handshake — until the attacker uses a real browser. Part 1 of a series on why client-side bot defense is structurally limited.

    • security
    • tls
    • bot-detection
    • fingerprinting
    • web-security
    • ja3
    • ja4
    • automation

  2. Environment Interrogation and the Spoofable Browser

    Defense SDKs probe WebGL renderers, canvas hashes, and hundreds of browser APIs to fingerprint your environment. A content script that runs before the SDK loads can patch every one of them.

    Expected

  3. Behavioral Telemetry and the Real User Problem

    Akamai's sensor scripts collect mouse movements, keystrokes, and scroll behavior to score sessions as human or bot. A Chrome extension operating inside a real browser session inherits all that legitimacy for free.

    Expected

  4. Token Rotation and the Inherited Session

    Kasada's per-request token rotation prevents external replay. But chrome.scripting.executeScript in MAIN world calls the page's own patched fetch — the SDK injects the token automatically and the extension never touches it.

    Expected

  5. The Runtime Trust Problem

    All four defense layers — TLS fingerprinting, environment probing, behavioral telemetry, token rotation — fail for the same reason: the browser is not a trusted execution environment. The economics and architecture of what actually works.

    Expected

Keyboard Shortcuts

Key Action
j Next section
k Previous section
n Next post
p Previous post
/ Open search
Cmd + K Command palette
Esc Close dialog / popover
? Show this help