Honeypots

Bait the bots. Catch them red-handed.

Invisible links, signed token URLs, zero-width watermarks. Three trap types, zero false positives. If a bot trips one, the verdict is final.

Static Traps

CSS-hidden links in HTML. Bots follow them, humans never see them.

Dynamic Traps

Per-session HMAC-signed URLs. Different every time. impossible to filter.

Zero False Positives

Only bots parsing raw HTML can find the traps. No legitimate user impact.

Proxy Rotation Detection

Same trap link from different IP? Proxy rotation confirmed.

Content Watermarking

Invisible Unicode markers trace scraped content back to the scraper.

Instant Score 1.0

Any visitor hitting a trap gets maximum bot score immediately.

Stealth Mode

No identifiable keywords in trap URLs or HTML. Fully invisible.

Hit Dashboard

See which traps were triggered, from where, and when.

3
Honeypot types
0
False positives
1.00
Bot score on trip
0%
User impact
How a trap works

Plant, log, trace.

Honeypots are the one detection method with a 0% false-positive rate. A trigger is proof, not signal.

Step 01

Place a trap

Inject invisible bait — links, fields, watermarks. Hidden via CSS or zero-width unicode. Real users can't see them.

Step 02

Watch for triggers

Every trap hit is logged with full request context. Score immediately set to 1.0. No ambiguity, no judgment call.

Step 03

Trace the source

Dynamic traps tie each token back to a session. Proxy rotators get caught — same trap, different IP = automation.

Trap types

Three ways to plant bait.

Layer them. Static traps catch HTTP scrapers. Dynamic traps catch proxy rotation. Watermarks trace stolen content. Together they cover every scrape modality.

01

Static traps

Invisible links + form fields injected into your HTML. CSS-hidden (position: absolute; left:-9999px). No JavaScript required — catches HTTP-only scrapers that ignore CSS rendering.

02

Dynamic traps

detect.js generates per-session trap URLs with HMAC-signed tokens. Each visitor gets a unique trap set — bots can't filter by pattern. Catches proxy rotation when same token loads from different IPs.

03

Content watermarks

Zero-width unicode markers (U+200B, U+200C, U+200D, U+FEFF) embedded in page text. Invisible on render, survives copy-paste. Trace scraped content back to the exact session that grabbed it.

Why this works

Honeypots are the cleanest verdict you'll ever get.

01

Zero false positives

Real browsers never render hidden links. Real users never submit hidden form fields. A trigger means a bot — guaranteed.

02

Catches HTTP-only scrapers

python-requests, curl, Go-http-client parse raw HTML — they walk every <a href> blindly. Static traps catch them on the first request.

03

Proxy rotation tells

Dynamic tokens tied to session ID. If token X loads from IP A then IP B within 10 seconds, you've caught a residential proxy rotation in action.

04

Content traceability

Watermarks survive scraping. If your content shows up in an AI dataset, the embedded marker proves which scrape session captured it.

Properties

Designed to be invisible.

No JavaScript required

Static traps work on any page. Even users with JS disabled get full functionality — they just never see the trap.

Per-session rotation

Dynamic trap URLs change every session. No way for a bot to maintain a denylist — every visit has new traps.

Validated automatically

Run a one-click verification check from the dashboard. We fetch your site and confirm the trap snippet is present.

Configurable density

2, 3, 5, or 8 traps per page. More traps = higher detection rate. Sites with sparse content can dial up; busy pages can dial down.

53% of internet traffic is automated.
How much of yours?

Most site owners have no idea. Find out in under 2 minutes — free.