So I kind of set up another level of security well not really more of a gate to help block more bots and scrapers that seem to bypass robots.txt and whatever enhancements and blocks you have in your ....
@pasjrwoctx👽
cookie could be faked but so can headers, and the way I have it now the cookie is only good for the session, bots and scrapers start a new session every time
The sessionID is in the cookie yes, but the info can be in the session. If a bad bot starts a new session, well it will not have the "OK" in the session.
Accept headers can be faked but that would make less sense as it breaks content negotiation, and you can use it as ONE aspect of other bot indicators., but my understanding of how friendica and activitypub are setup the inbox should not be callable by bots and scrapers
For server to server protocol an instance will act like a "legitim bot", it will not pass a captcha or session check, validation of the request is done via signatures.
cookie could be faked but so can headers, and the way I have it now the cookie is only good for the session, bots and scrapers start a new session every time
The sessionID is in the cookie yes, but the info can be in the session. If a bad bot starts a new session, well it will not have the "OK" in the session.
Accept headers can be faked but that would make less sense as it breaks content negotiation, and you can use it as ONE aspect of other bot indicators., but my understanding of how friendica and activitypub are setup the inbox should not be callable by bots and scrapers
For server to server protocol an instance will act like a "legitim bot", it will not pass a captcha or session check, validation of the request is done via signatures.
1