Forem: Shreesh Sanyal The latest articles on Forem by Shreesh Sanyal (@shreesh_sanyal_eb6b605a70). https://forem.com/shreesh_sanyal_eb6b605a70 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2652652%2Fd7c289a9-ae6b-4633-9790-8c7df2cbc6fa.jpg Forem: Shreesh Sanyal https://forem.com/shreesh_sanyal_eb6b605a70 en I built an Express.js middleware that detects bots using behavioral scoring — and published it to npm Shreesh Sanyal Mon, 09 Mar 2026 14:11:40 +0000 https://forem.com/shreesh_sanyal_eb6b605a70/i-built-an-expressjs-middleware-that-detects-bots-using-behavioral-scoring-and-published-it-to-4c3g https://forem.com/shreesh_sanyal_eb6b605a70/i-built-an-expressjs-middleware-that-detects-bots-using-behavioral-scoring-and-published-it-to-4c3g <p>Ever watched your “protected” Express API get farmed by bots anyway?</p> <p>You add IP rate limiting… they rotate IPs.<br><br> You add CAPTCHAs… your users hate you.<br><br> You add a WAF… your finance team hates you.</p> <p>So I built <strong>ShadowShield</strong> — a free, open‑source behavioral security middleware for Express that detects bots by analyzing <em>how</em> they make requests, not just <em>how many</em>.</p> <h2> How it works </h2> <p>Most rate limiters ask one question:</p> <blockquote> <p>“How many requests did this IP make?”</p> </blockquote> <p><strong>ShadowShield asks five:</strong></p> <ol> <li> <strong>rpm</strong> — How fast are requests coming in? </li> <li> <strong>error_rate</strong> — What percentage of requests return errors? </li> <li> <strong>entropy</strong> — How many different endpoints are being hit? </li> <li> <strong>cv_gap</strong> — How regular is the timing between requests? </li> <li> <strong>volume</strong> — How much data is being transferred?</li> </ol> <p>Each feature is normalized and weighted into a final risk score.<br><br> If the score exceeds <code>0.5</code>, the IP is blocked.</p> <h2> The <code>cv_gap</code> feature </h2> <p>This is the most interesting signal.</p> <p>Bots are unnaturally consistent. A human using your API will have random gaps between requests — 800 ms, 2.3 s, 400 ms.<br><br> A bot running in a tight loop will look like — 300 ms, 301 ms, 299 ms.</p> <p><code>cv_gap</code> measures the coefficient of variation of those timing gaps.<br><br> Low <code>cv_gap</code> = unnaturally regular = likely bot.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">gaps</span> <span class="o">=</span> <span class="nx">sorted</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="nf">map</span><span class="p">((</span><span class="nx">t</span><span class="p">,</span> <span class="nx">i</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">t</span> <span class="o">-</span> <span class="nx">sorted</span><span class="p">[</span><span class="nx">i</span><span class="p">])</span> <span class="kd">const</span> <span class="nx">mean</span> <span class="o">=</span> <span class="nx">gaps</span><span class="p">.</span><span class="nf">reduce</span><span class="p">((</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">a</span> <span class="o">+</span> <span class="nx">b</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">/</span> <span class="nx">gaps</span><span class="p">.</span><span class="nx">length</span> <span class="kd">const</span> <span class="nx">std</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span> <span class="nx">gaps</span><span class="p">.</span><span class="nf">reduce</span><span class="p">((</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">a</span> <span class="o">+</span> <span class="p">(</span><span class="nx">b</span> <span class="o">-</span> <span class="nx">mean</span><span class="p">)</span> <span class="o">**</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">/</span> <span class="nx">gaps</span><span class="p">.</span><span class="nx">length</span> <span class="p">)</span> <span class="kd">const</span> <span class="nx">cvGap</span> <span class="o">=</span> <span class="nx">mean</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="p">?</span> <span class="nx">std</span> <span class="o">/</span> <span class="nx">mean</span> <span class="p">:</span> <span class="mi">0</span> </code></pre> </div> <ul> <li>Normal users usually have <code>cvGap &gt; 1.0</code> </li> <li>Simple bots often have <code>cvGap &lt; 0.1</code> </li> </ul> <h2> Impossible Travel Detection </h2> <p>This one is my favourite feature.</p> <p>ShadowShield stores the IP address bound to each session.<br><br> If a new request arrives with the <strong>same session ID but a different IP</strong>, both IPs get blocked immediately.</p> <p>This catches:</p> <ul> <li>Session hijacking </li> <li>IP‑rotating bots that reuse session cookies </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">lastIP</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`session:</span><span class="p">${</span><span class="nx">sessionId</span><span class="p">}</span><span class="s2">:ip`</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">lastIP</span> <span class="o">&amp;&amp;</span> <span class="nx">lastIP</span> <span class="o">!==</span> <span class="nx">ip</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="s2">`block:</span><span class="p">${</span><span class="nx">ip</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">1</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EX</span><span class="dl">'</span><span class="p">,</span> <span class="nx">blockTTL</span><span class="p">)</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="s2">`block:</span><span class="p">${</span><span class="nx">lastIP</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">1</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EX</span><span class="dl">'</span><span class="p">,</span> <span class="nx">blockTTL</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Suspicious activity detected</span><span class="dl">"</span> <span class="p">})</span> <span class="k">return</span> <span class="p">}</span> </code></pre> </div> <h2> Zero latency impact </h2> <p>This was a hard requirement for me.</p> <p>All scoring happens <strong>after</strong> the response is sent using <code>res.on('finish')</code>.<br><br> The user never waits for risk calculation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">next</span><span class="p">()</span> <span class="c1">// ← response sent immediately</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">finish</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// scoring happens here — after user already got response</span> <span class="k">await</span> <span class="nf">writeIPData</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="nx">redis</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">risk</span> <span class="o">=</span> <span class="k">await</span> <span class="nc">IPRiskScore</span><span class="p">(</span><span class="nx">ip</span><span class="p">,</span> <span class="nx">redis</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">risk</span> <span class="o">&gt;=</span> <span class="nx">threshold</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="s2">`block:</span><span class="p">${</span><span class="nx">ip</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">1</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EX</span><span class="dl">'</span><span class="p">,</span> <span class="nx">blockTTL</span><span class="p">)</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <h2> Install </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>shadowshield </code></pre> </div> <h2> Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">shadowShield</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">shadowshield</span><span class="dl">"</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">shadowShield</span><span class="p">({</span> <span class="na">redisUrl</span><span class="p">:</span> <span class="dl">"</span><span class="s2">redis://127.0.0.1:6379</span><span class="dl">"</span><span class="p">,</span> <span class="na">threshold</span><span class="p">:</span> <span class="mf">0.5</span><span class="p">,</span> <span class="na">blockTTL</span><span class="p">:</span> <span class="mi">3600</span><span class="p">,</span> <span class="p">}))</span> </code></pre> </div> <p>That’s it. One middleware, a few options.</p> <h2> What the logs look like </h2> <p>When running, ShadowShield prints risk scores in real time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IP: 192.168.1.1 | ip_risk: 0.12 | session_risk: 0.10 | final: 0.11 IP: 192.168.1.2 | ip_risk: 0.51 | session_risk: 0.66 | final: 0.58 BLOCKED: 192.168.1.2 | ip: 0.51 | session: 0.66 | final: 0.58 IMPOSSIBLE TRAVEL: abc123 | 192.168.1.1 → 192.168.1.2 </code></pre> </div> <h2> Tech stack </h2> <ul> <li>Node.js + TypeScript </li> <li>Express.js </li> <li>Redis (<code>ioredis</code>) </li> <li>Published on npm</li> </ul> <h2> Links </h2> <p>🔗 <a href="https://github.com/SHREESH2004/Shadowsheild" rel="noopener noreferrer">https://github.com/SHREESH2004/Shadowsheild</a><br> 📦 <a href="https://www.npmjs.com/package/shadowshield" rel="noopener noreferrer">https://www.npmjs.com/package/shadowshield</a></p> backend node opensource typescript