• Dark Arc@social.packetloss.gg
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    10 hours ago

    So… Having no public API means people just develop libraries to interact with your private API.

    Furthermore, beautiful soup can work on any page… It’s just a matter of how easily.

    CSRF doesn’t do what I think you think it does. It only works with a cooperating client (i.e. it’s to protect a user in their own web browser). If it’s a bot you’d just scrape the token and move on.

    Fluctuations in user actions can also be simulated (you can have a bot architecture that delays work to be done to be similar to what a normal user might do/say/post) … and rate limiting can be overcome by just using more accounts, stolen IP addresses, etc

    You can do a lot, but it’s always going to be a bit of a war. Things you’re suggesting definitely help (a lot of them echo strategies used by RuneScape to prevent/reduce bots), but … I think saying it’s an architecture problem is a bit disingenuous; some of those suggestions also hurt users.