15

Self-hosted, stateless scoring service for detecting bots, abuse, and anomalous user behavior through configurable declarative rules. Made in Quarkus.

Everything hashed directly from ingestion, no private information (sessionID, userId, resourceId) accessible from the database or the application.

Key properties:

  • Privacy-first: Identifiers (user IDs, IPs, user agents) are hashed at ingestion. No raw PII is stored. Currently, it uses MurmurHash2, but it might change.
  • Declarative rules: Rules are defined in rules.json with typed evaluators. No code changes required to add or modify rules.
  • Two-tier blocklist: Automatic download of known bad bots plus manually curated exact and partial matches.
  • Session-aware: Scores users based on their sessions, a mixture of a sessionId (An arbitrary session identifier like a JWT), the userAgent and the ip.
  • Self-contained: Ships as an uber-jar. Default storage is H2 in-memory, PostgreSQL supported via configuration.

AGPLv3

This is my project to fight the bot horde infesting the internet and the fediverse right now. I made it over the weekend, just needs Java 25 (trademark)(copyright) to run it or using the dockerfile for legacy jars.

Yes, I'm a Java developer, unfortunately it's a good language for building web services very fast.

First release already in there, if anyone wants to test, use, whatever. Comments appreciated.

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here
this post was submitted on 30 Jun 2026
15 points (100.0% liked)

Open Source

47591 readers
69 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 6 years ago
MODERATORS