Strategies to block bots - does Shopify support these?

SouthQc · ‎11-12-2024

Hello

We have noted a large spike in bot traffic, especially with Headless browsers.

Is there any way to block incoming queries from headless browsers such as Puppeteer et al? One key variable we can likely zero in onto is to lock outdated user agents. These headless browsers are often not up to date, like a "real" human where there are generally forced browser updates.

Any input or experience with this would be appreciated

URL for those who want to read up on this:

https://www.imperva.com/blog/seven-tips-to-protect-retail-businesses-this-holiday-season/

Olllie · ‎11-21-2024

Hey,

This is something I've been thinking about lately as well. Shopify Plus does have added bot protections.

Here

Here's what I've developed so far. While I can't completely stop bots from visiting the site, you can paste the code into theme.liquid right before the </head> tag to at least make life difficult for them once they get to the site.

The script checks for a few potential indicators commonly associated with headless browsers (such as Puppeteer), which a real user typically wouldn't exhibit. If any of these conditions are met, it redirects the bot to a /blocked page, which you can create just like any other Shopify page.

Feel free to use or modify it as you wish. I haven't overly tested this, so use at your own risk! 🙂 One challenge, is that some of these are flagged when customising your theme - because of course, that isn't a standard browser!

<script>
// Custom headless browser detection script designed by Ollie from autoBlogger, use however you like
  (function() {
    var isHeadless = false;

    // Function to check headless browser conditions
    function detectHeadless() {

      // Check for WebDriver property (common in headless browsers)
      if (navigator.webdriver) {
        return true;
      }

      // Check for Headless Chrome in the user agent string
      if (navigator.userAgent.includes("HeadlessChrome")) {
        return true;
      }

      // Check for missing or unusual window features typically absent in headless browsers
      if (!window.matchMedia) {
        return true;
      }

      // Ensure document.body exists before dispatching mouse events
      if (document.body) {
        // Test for mouse movement: Headless browsers might not trigger mouse events normally
        var mouseEvent = document.createEvent('MouseEvents');
        mouseEvent.initEvent('mousemove', true, true);
        document.body.dispatchEvent(mouseEvent);
        
        // If no mouse movement is detected (or prevented), it's likely headless
        if (mouseEvent.defaultPrevented) {
          return true;
        }
      }

      return true; // No headless browser indicators found
    }

    isHeadless = detectHeadless();

    if (isHeadless && window.location.href.indexOf('/blocked') === -1) {
      window.location.href = '/blocked';
    }
  })();
</script>

Ollie | Founder & Developer of autoBlogger and autoSchema

autoBlogger: Seamlessly scheduled, fully automated, AI-powered, and SEO-optimised blogging with FAQs, table of contents and other features! Start your 14-day free trial today!

autoSchema: Fully automated and continuously updated Google structured data, including duplicate data removal. Simple to install – try it now!

Discover more at autoBlogger.bot!

Strategies to block bots - does Shopify support these?

Strategies to block bots - does Shopify support these?

Community Blog Articles