"Bot管理与验证码（Anti-Bot）防护最佳实践"

Bot管理与验证码（Anti-Bot）防护最佳实践概述通过分层挑战与行为评分，对自动化滥用进行拦截并保持真实用户可用性。行为评分function behaviorScore(events: { move: number; click: number; key: number; timeMs: number }): number { const density = (events.move + events.click + events.key) / Math.max(1, events.timeMs / 1000) const score = Math.min(100, Math.round(density * 10)) return score } 速率限制与挑战function requireChallenge(ip: string, score: number, rateExceeded: boolean): boolean { if (rateExceeded) return true if (score < 15) return true return false } 验证码校验async function verifyCaptcha(response: string, secret: string): Promise<boolean> { const res = await fetch("https://captcha.example/verify", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ response, secret }) }) if (!res.ok) return false const data = await res.json() return !!data.success } JS挑战令牌function issueJsToken(): string { const bytes = crypto.getRandomValues(new Uint8Array(16)) return Array.from(bytes).map(b => b.toString(16).padStart(2, "0")).join("") } function validateJsToken(token: string): boolean { return /^[a-f0-9]{32}$/.test(token) } 运维要点按端点与风险分级启用挑战与验证码将行为评分、限流与挑战命中纳入指标与告警为无障碍与合法机器人提供受控白名单与速率配额通过分层治理与挑战机制，可在复杂流量环境中有效拦截恶意自动化滥用。