How to block bot hits? (Affecting number of requests)

I am testing Stape and I’ve realized that there are a lot of requests in my container, way more than I’ve sent (like 90% more). So I’ve asked for logs and I’ve seen requests to the following endpoints of my server container URL (among others):


These are hits made by automated bots in search of vulnerabilities in the code. And these are hits counting towards the resources used in Stape (not ideal).

So the question is simple…how can I block these hits so that they do not count towards the container resources? Should I block these hits using Cloudflare, should I block them using the “Bot detection” power-up or is there any other way to block them? And please, explain how to do so.

I think this is something critical to not spend unnecessary resources.

Also, please explain why here: Pricing - Stape it shows that the “X-Device-Bot” header is available in the Free version (via User-Agent Info power-up), and elsewhere, this is a Paid power-up in the “Bot detection” power-up.

hey @hustleou thanks for bringing this up, the bot conclusion is no longer part of the user agent info power-up and is available in ‘Bot detection’ one. We’ll update site content accordingly.

Bot detection is available on all paid plans.

Bot detection will not be a solution for what you’re describing, because we need to accept and digest the incoming request (and count it towards your subscription threshold) to resolve if it’s a bot or not.

A feature such as one you’re looking for is is in the backlog, but I don’t have any timeframes to share.

At this point in time you’re only approach to this is using your Own CDN to limit unwanted traffic.

Ok, understood! I don’t have this power-up enabled:

So it should work, meaning, it should block these visits.

And as it is not blocking these visits, something there is not working properly.

I believe this is a really urgent thing, because no-one wants to pay for resources they don’t use.

If using Cloudflare as the CDN, what kind of rules would you suggest to block this unwanted traffic? Based on Bot Score, based on IP, based on User Agent?

Also, the log feature should be available in ALL plans. Currently users in the FREE plan are receiving fake bot visits to their container URL, that they are not aware of, and that they are counting towards their usage.

@Dan I’m keeping an eye here: - Once you’ve deployed a solution for this, I’ll be happy to move our tech stack to Stape.