Author here: There’ve been a lot of HN threads lately about scraping, especially in the context of AI, and with them, a fair amount of confusion about what actually works to stop bots on high-profile websites.
This post uses TikTok’s obfuscated JavaScript VM (recently discussed on HN) as a case study to walk through what modern bot defenses look like in practice. It’s not spyware, it’s an anti-bot measure designed to make life harder for HTTP clients and non-browser automation.
Key points:
- HTTP-based bots skip JS, so TikTok hides detection logic inside a JavaScript VM interpreter
- The VM computes signals like webdriver checks and canvas-based fingerprints
- Obfuscating this logic in a custom VM makes it significantly harder to reimplement outside the browser (and so to scale an attack)
The goal isn’t to stop all bots, it’s to push attackers into full browser environments, where detection is more feasible
The post covers why simple solutions like "just require JS" don’t hold up, and why defenders use techniques like VM-based obfuscation to increase attacker cost and reduce replayability.
This post uses TikTok’s obfuscated JavaScript VM (recently discussed on HN) as a case study to walk through what modern bot defenses look like in practice. It’s not spyware, it’s an anti-bot measure designed to make life harder for HTTP clients and non-browser automation.
Key points:
- HTTP-based bots skip JS, so TikTok hides detection logic inside a JavaScript VM interpreter
- The VM computes signals like webdriver checks and canvas-based fingerprints
- Obfuscating this logic in a custom VM makes it significantly harder to reimplement outside the browser (and so to scale an attack)
The goal isn’t to stop all bots, it’s to push attackers into full browser environments, where detection is more feasible
The post covers why simple solutions like "just require JS" don’t hold up, and why defenders use techniques like VM-based obfuscation to increase attacker cost and reduce replayability.