The Threat
Sophisticated botnets that mimic legitimate traffic headers to bypass security.
The Impact
Wasted infrastructure costs and bypassed security gates.
Legacy Failure
Header-based Enforcers are easily spoofed by automated SDKs.
The Solution
TrustSig's deterministic hardware and rendering attestation.
It is a security model that relies on specific HTTP headers to identify and authorize traffic. If the header is present and looks correct, the request is allowed.
Modern botnets are built to programmatically generate the exact headers that security providers expect. Because headers are just data, they can be spoofed by any automated script.
TrustSig does not rely on headers. We verify the hardware and rendering environment of the client. Headless browsers and emulators cannot fake the deterministic hardware layout of a genuine consumer device.
The Anatomy of an Attack
Security providers often rely on "Enforcers" that inspect incoming traffic for specific HTTP headers. These headers are intended to act as a digital passport, signaling that a request originates from a legitimate mobile app or browser rather than a bot.
However, we think this approach is fundamentally flawed. In our opinion, if a security system relies on a predictable pattern of data, it is only a matter of time before that pattern is reverse-engineered and automated.
Why Legacy Defenses Fail
If you rely on header-based security, you are essentially asking the attacker to tell you who they are. Modern botnets are designed to do exactly that.
- Predictable Patterns: Tools like the Hyper Solutions Go SDK demonstrate how easily these systems can be bypassed. Attackers can programmatically generate the exact headers, tokens, and sensor data that security providers expect.
- The Enforcer Fallacy: Many "Enforcer" models, such as those used by Human Security, require apps to attach specific headers to every request. If an attacker knows the format, they can simply include these headers in their own automated scripts, effectively neutralizing the protection.
- Fragility: When security relies on headers, any change in the bot's behavior or the security provider's logic can lead to false positives, blocking your real users while the sophisticated bots continue to pass through.
Deterministic Bot Mitigation
At TrustSig, we believe that security should not be based on what a client says about itself, but on what the client is.
Instead of challenging the user with a puzzle or relying on easily spoofed headers, we challenge the client's environment. By extracting hardware-level telemetry—such as WebGL rendering fingerprints, CPU thread concurrency, and audio context evaluation—we can mathematically prove whether the browser is a genuine consumer device or a headless emulator running on a rack server.
This process is deterministic. A headless browser cannot fake the specific hardware layout of a genuine consumer device. By moving the verification to the hardware level, we remove the attacker's ability to spoof their identity.
TrustSig provides a privacy-first, edge-first approach that stops automated threats before they ever reach your database, ensuring your infrastructure remains secure without the need for intrusive CAPTCHAs or fragile header-based checks.
References
Secure your endpoints today
Deploy hardware-level attestation in minutes. Eradicate bot traffic with zero user friction and absolute GDPR compliance.
Start protecting free