A merchant is experiencing a surge in bot traffic from headless browsers like Puppeteer and seeks methods to block them, particularly by detecting outdated user agents since bots often don’t update as frequently as legitimate browsers.
Proposed Solution:
One user shared a JavaScript code snippet designed to detect headless browser indicators and redirect suspected bots to a custom /blocked page
The script checks for common headless browser characteristics before the </head> tag in theme.liquid
Shopify Plus offers enhanced bot protection features (linked in discussion)
Known Issues:
The code can trigger false positives when merchants customize their own themes
Another user reported immediate 404 redirects on their homepage after implementation
The solution remains untested at scale and requires further refinement
The discussion remains open with requests for code adjustments or alternative approaches to specifically block HeadlessChrome traffic without disrupting legitimate users or theme customization workflows.
Summarized with AI on October 28.
AI used: claude-sonnet-4-5-20250929.
We have noted a large spike in bot traffic, especially with Headless browsers.
Is there any way to block incoming queries from headless browsers such as Puppeteer et al? One key variable we can likely zero in onto is to lock outdated user agents. These headless browsers are often not up to date, like a “real” human where there are generally forced browser updates.
Any input or experience with this would be appreciated
Here’s what I’ve developed so far. While I can’t completely stop bots from visiting the site, you can paste the code into theme.liquid right before the tag to at least make life difficult for them once they get to the site.
The script checks for a few potential indicators commonly associated with headless browsers (such as Puppeteer), which a real user typically wouldn’t exhibit. If any of these conditions are met, it redirects the bot to a /blocked page, which you can create just like any other Shopify page.
Feel free to use or modify it as you wish. I haven’t overly tested this, so use at your own risk! One challenge, is that some of these are flagged when customising your theme - because of course, that isn’t a standard browser!
I tried using this and it took diverted my home page to a 404 when I tested it… straight away. I know you said ‘use at your own risk’ — just wondering if you have any ideas/suggestions about how to adapt your code above? Or another solution to block HeadlessChrome traffic?
One challenge, is that some of these are flagged when customising your theme - because of course, that isn’t a standard browser!