AI bots can be blocked by adding their user-agent name to the disallow directive in the robots.txt file.

What Happens If I Don’t Have a Robots.txt?

Search engine web crawlers will index every page on your site. This can result in irrelevant content being indexed which can negatively impact your page rankings.

What is the Difference Between Robots.txt and Meta Tags?

Robots.txt controls access to your site at a directory level. Meta tags manage crawling and indexing behavior for individual pages.

Introducing Proof of Browser: How DataDome Blocked 14 Million Bypass Attempts

Bot management

The arms race between bot operators and cybersecurity solutions is relentless.

As detection engines become more sophisticated, attackers continuously look for ways to reverse-engineer client-side detection code and challenges. Their goal is to generate legitimate-looking payloads from untrusted environments, allowing them to bypass security challenges without ever opening a real web browser.

To permanently shut down this vector, DataDome recently released a groundbreaking protection feature in our components: proof of browser.

This state-of-the-art technique has already delivered significant results, blocking 14 million attempts to bypass DataDome’s challenges. Here is a look at how it works and why it represents a major leap forward in client-side security.

The challenge of fake environments

Historically, bot operators have tried to bypass client-side detection by mocking the browser environment. Using frameworks in Node.js or Python, they intercept the detection scripts and feed them with hardcoded or spoofed browser attributes.

While analyzing these signals remains crucial, advanced attackers invest heavily in creating highly realistic fake environments. We needed a way to guarantee that the detection payload we receive is entirely legitimate and absolutely not generated by an attacker in an untrusted environment they control.

What is proof of browser?

Proof of browser is a specialized proof-of-work system that guarantees the detection code was executed inside a real, fully functioning browser engine.

Instead of just checking if a specific browser property exists, proof of browser forces the client to perform operations that rely on mechanisms and technologies that exist natively and exclusively inside a real browser. These mechanisms are deep, complex, and tightly interlocking by design.

For example, a traditional bot might easily fake its user-agent or the dimensions of a window. However, replicating the exact, sub-millisecond execution sequence of a complex WebGL rendering task intertwined with specific CSS layout calculations and DOM mutations is an entirely different story.

Because these interlocking systems are so complex, they cannot be cheaply mocked or reimplemented from the outside. Attempting to simulate them outside a real browser would require an enormous amount of computational power and would inevitably result in tiny, detectable discrepancies.

DataDome is among the very first cybersecurity companies to adopt this level of interlocking environmental proof-of-work, placing our detection capabilities at the cutting edge of the industry. DataDome was also recently recognized as a Leader in The Forrester Wave™: Bot And Agent Trust Management Software, Q2 2026.

Polymorphic builds: Breaking static analysis

A static defense is a vulnerable defense. If a protection mechanism remains the same, attackers will eventually figure out how to hook into it.

To prevent this, we made proof of browser highly polymorphic. The challenge is regenerated from scratch on every single build. When a new build is deployed, everything changes:

The core computation itself
The specific browser mechanisms the challenge relies on
The overall structure of the code

Because the underlying logic shifts constantly, any static analysis or hooking scripts developed by an attacker become obsolete immediately. The knowledge they gain from reverse engineering one build simply does not carry over to the next.

The ultimate combination: Proof of browser & VM-based obfuscation

Proof of Browser does not operate in isolation. It is deeply embedded inside DataDome’s VM-based obfuscation.

These two technologies create a perfect synergy:

The VM hides what is being measured. It forces the attacker to analyze heavily obfuscated, virtualized bytecode, making it incredibly painful to understand which browser mechanisms are being tested.
Proof of browser makes the measurement itself unfakeable. Even if an attacker somehow guesses what is being measured, they cannot generate a valid response without executing the code in a genuine browser engine.

Real-world impact and performance

Since its recent deployment, proof of browser has been highly effective. It is currently included in our Device Check and Slider, where it has already blocked over 14 million sophisticated bypass attempts.

Graph depicting the volume of challenge bypass attempts blocked by proof of browser

Volume of challenge bypass attempts decisively blocked by proof of browser over time

As shown in the above graph, the system effortlessly handles massive, sudden spikes in malicious traffic, completely neutralizing these automated threats before they reach protected endpoints.

A new standard for client-side security

Security should never come at the cost of user experience. Despite the complex, interlocking nature of these checks, the performance of our challenges remains exceptional. The execution time is practically unchanged, ensuring that legitimate human users and their trusted AI agents experience zero added friction.

By combining VM-based obfuscation with the unfakeable nature of proof of browser, DataDome continues to make botting economically unviable for attackers while keeping the web seamless for real users.

Book a demo today to see how DataDome can protect your endpoints from bad bots and malicious AI agents.