Documentation
¶
Overview ¶
Package botguard provides TLS ClientHello fingerprinting (JA4) and heuristic-based bot detection scoring.
Bot detection operates in two layers:
- L1: Known-bad JA4 signature lookup (deterministic, per-connection). Handled by aitm.BotGuardService using signatures from this package.
- L2: Behavioral heuristics from browser telemetry (probabilistic, configurable threshold). Implemented by Scorer.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ComputeJA4 ¶
ComputeJA4 parses helloBytes and returns the JA4 fingerprint string. Format: t<TLSver><SNI><#Ciphers><#Exts><ALPN>_<CipherHash>_<ExtGroupHash> Example: "t13d0505h2_1234567890ab_abcdef123456"
Returns an empty string and a non-nil error if helloBytes is not a valid ClientHello.
Types ¶
type BotGuardConfig ¶
type BotGuardConfig struct {
// Enabled controls whether bot detection is active.
Enabled bool
// TelemetryThreshold is the score threshold [0.0, 1.0] above which a
// connection is considered a bot. Default is 0.6.
TelemetryThreshold float64
}
BotGuardConfig holds runtime-adjustable settings for bot detection. BotGuardConfig holds runtime-adjustable settings for bot detection.
type Scorer ¶
type Scorer struct {
Config BotGuardConfig
Logger *slog.Logger
}
Scorer evaluates L2 (telemetry heuristic) signals into a BotVerdict. L1 (JA4 signature lookup) is handled upstream by BotGuardService.
func (*Scorer) ScoreConnection ¶
func (s *Scorer) ScoreConnection(telemetry *aitm.BotTelemetry) aitm.BotVerdict
ScoreConnection verdict logic:
- !Cfg.Enabled → VerdictAllow
- telemetry score ≥ threshold → VerdictSpoof (L2 score)
- otherwise → VerdictAllow
Source Files