MAISON CODE .
/ Security · Cloudflare · Bots · Infrastructure · Redis · Architecture

Bot Mitigation: The War on Resellers

Sneaker bots are eating your inventory. A technical guide to defeating automated scalpers using Cloudflare Turnstile, Honeypots, and Redis Rate Limiting.

AB
Alex B.
Bot Mitigation: The War on Resellers

If you launch a hype product on Shopify (e.g., a limited sneaker drop) without protection, you will sell out in 1 second. This sounds like a “good problem.” It is not. Because 98% of the inventory went to a single reseller in Chicago running a Python script. Your loyal customers—the people who actually wear the brand—got nothing. They are angry. They tweet. They leave.

Bot Mitigation is not an IT ticket. It is Brand Protection. At Maison Code Paris, we engineer “Fair Launch” systems that ensure humans win.

Why Maison Code Discusses This

We have battled the world’s most sophisticated bots. We have seen bots that can solve reCAPTCHA V3. We have seen bots that use residential proxies to look like iPhone users in 50 states. We know that “Installing a plug-in” is not enough. You need Layered Defense. We share our strategy so you can prepare for war.

1. The Threat Model: How Bots Work

To stop a bot, you must think like a bot developer. Most bots are not “browsing” your site.

  1. Monitor: They poll your products.json endpoint every 50ms.
  2. Cart: They bypass the UI entirely and POST /cart/add.js directly.
  3. Checkout: They use “Preload Links” to autofill shipping/billing.
  4. Proxies: They route traffic through 10,000 Residential IPs (hijacked IoT devices).
  5. Captcha: They use API farms (2Captcha) where humans in click-farms solve captchas for $0.001.

2. Layer 1: The Invisible Challenge (Cloudflare Turnstile)

The old Google reCAPTCHA (Click traffic lights) destroys conversion rates. We use Cloudflare Turnstile. It is “Invisible”. It runs a JavaScript Proof-of-Work challenge in the browser background. If the visitor is a headless script (Puppeteer/Selenium), it fails the check.

Implementation in Remix (Hydrogen)

We integrate Turnstile into the Form submission flow.

// app/components/Turnstile.tsx
import { useEffect, useRef } from 'react';

export function Turnstile({ siteKey, action }) {
  const ref = useRef(null);
  
  useEffect(() => {
    if (window.turnstile) {
      window.turnstile.render(ref.current, {
        sitekey: siteKey,
        action: action, // e.g., 'checkout-start'
        callback: function(token) {
           // Inject token into hidden input
           document.getElementById('cf-token').value = token;
        }
      });
    }
  }, []);

  return <div ref={ref} />;
}

Server-Side Validation

Never trust the client. A bot can send a fake token. You must verify it with Cloudflare’s API.

// app/routes/api.checkout.ts
export async function action({ request }) {
  const formData = await request.formData();
  const token = formData.get('cf-turnstile-response');
  const ip = request.headers.get('CF-Connecting-IP');

  const result = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
      method: 'POST',
      body: new URLSearchParams({
          secret: process.env.TURNSTILE_SECRET,
          response: token,
          remoteip: ip
      })
  });

  const outcome = await result.json();
  if (!outcome.success) {
      throw new Response("Bot Detected", { status: 403 });
  }
}

3. Layer 2: The Honeypot (Simple but Effective)

Bots are often dumb. They find every <input> field and fill it. We add a “Honey Pot”. A hidden field that a human cannot see (CSS hidden). If the server receives a value in this field, we ban the IP instantly.

<div style={{ opacity: 0, position: 'absolute', top: 0, left: 0, height: 0, width: 0, zIndex: -1 }}>
    <label htmlFor="website_url">Website</label>
    <input type="text" name="website_url" tabIndex={-1} autoComplete="off" />
</div>

Note: Do not use display: none. Smart bots ignore display: none elements. Use opacity: 0 or move it off-screen (left: -9999px).

4. Layer 3: Rate Limiting (Redis Token Bucket)

A human cannot add an item to the cart 50 times in 1 second. We implement strict Rate Limiting at the Application Layer (Vercel Middleware). We use Redis (Upstash) to track request counts.

Algorithm: Sliding Window.

  • Key: ratelimit:ip:192.168.1.1
  • Limit: 5 requests / 10 seconds.
// middleware.ts
import { Redis } from '@upstash/redis';
import { Ratelimit } from '@upstash/ratelimit';

const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(5, '10 s'),
});

export default async function middleware(request) {
  const ip = request.ip || '127.0.0.1';
  const { success } = await ratelimit.limit(ip);
  
  if (!success) {
      return new Response("Too Many Requests", { status: 429 });
  }
}

Cost: This adds ~20ms latency. We only apply it to mutation routes (POST), not read routes (GET).

5. Layer 4: The Virtual Waiting Room (Queue)

Sometimes, the traffic is real (100k real fans). This is a DDoS attack by love. Your database will crash. To solve this, we implement a Queue System (like Queue-it, but custom).

  1. Choke Point: All traffic hits the Edge.
  2. Capacity Check: “Is active_users < 1000?”
  3. Redirect: If Full, redirect to /waiting-room static HTML page.
  4. Poll: Client polls /api/status.
  5. Admit: When capacity opens, issue a signed JWT cookie (queue_pass).

This ensures your Shopify API calls never exceed the throttle limit.

6. The Arms Race: Behavioral Analysis

Advanced bots (stealth) mimic browser fingerprints perfectly. We move to Behavioral Biometrics. We track:

  • Mouse Trajectory: Humans move effectively in curves. Bots move in straight lines or teleport.
  • Keypress Timing: Humans have variable gaps between keystrokes. Bots type at exactly 50ms intervals.
  • Accelerometer: Mobile devices shake slightly. Servers do not.

We send this telemetry to a fraud engine (Sift / Forter).

7. The Economics of Botting

Why do people bot? Profit. A pair of Jordan Travis Scotts retails for $150. Resells for $1,200. Profit: $1,050 per pair. If a bot secures 50 pairs, that is $50k profit in 1 hour. This is why they spend $5,000 on Bot Licenses (CyberAIO) and $1,000 on Proxies. Our Job: Make the cost of winning > $1,200. We do this by introducing “Randomness” (raffles) and “Friction” (Account Age checks). “Only accounts created > 3 months ago can buy this drop.” This kills the “Spin up 1000 accounts today” strategy.

8. Client-Side Encryption (Payload Protection)

Bots love to reverse-engineer your API. They monitor the Network Tab. They see POST /cart { id: 123 }. They replicate it in Python. Defense: Encrypt the payload.

  1. WASM Module: We compile a C++ encryption function to WebAssembly.
  2. Encryption: The browser encrypts the Cart Payload enc_abcd123....
  3. Decryption: The server uses the private key to decrypt. Bots cannot run the WASM easily (it requires a full browser environment). They cannot reverse-engineer the C++ code (it is binary). This raises the bar significantly.

Sometimes, technology fails. If a specific bot provider (e.g., “Dragon AIO”) is targeting you specifically, get legal involved. Nike sued StockX. Ticketmaster sued scalpers. Update your Terms of Service: “Use of automation software is a breach of contract.” This allows you to void orders legally without refunding shipping fees. Make it painful. Botters are businesses. If you increase their legal risk, they move to a softer target.

10. Conclusion

Bot mitigation is an economic war. You cannot stop 100% of bots. Your goal is to increase the Cost of Attack higher than the Potential Profit. If buying a bot license costs $500, and proxies cost $50, and the profit from reselling your shoe is only $200… the botters will go away.

Protecting a Hype Drop?

Are you launching a limited edition soon?

Hire our Architects.