[Cider9986]

That's cool your solution is privacy focused.

Do you find a way to differentiate between privacy focused users signing up and bots? Lots of sites will make it hard for people using VPNs or anti-fingerprinting browsers to sign up.

[arbol]

Thanks! We don't penalise privacy browsers or VPN by default. We score JS signals browser side in constantly rotating obfuscated code. This avoids us having to send up the actual data whilst making it difficult to fake the dynamic challenges. Static ones are obviously much easier.

Serious bot activity (e.g. ticket scalping) requires polling with many headless browsers and waiting for tickets to become available. Bot behaviour repeats at scale and so we can get them based on that. A privacy focused user will just be one request in amongst many and pass through.

However, its ultimately the decision of the client how strict we are. A lot of abusive traffic comes from VPN IPs. We don't enable these blocks by default but sometimes you need to, especially if there is a direct monetary gain to be made by faking your country.