Debug. raw HttpContext.Items state (TagHelper input)
AggregatedEvidence present: True BotDetectionResult present: True evidence.RiskBand = VeryHigh evidence.BotProbability = 1 evidence.Confidence = 1
Behaviour-aware Razor
This page is rendered by ASP.NET Core MVC with StyloBot middleware in
process. No gateway, no third-party service, no JavaScript on the
client. Every <sb-*> tag below reads from the same
DetectionDisplayModel the detection pipeline populated
before this view started rendering.
Demo mode. flip the verdict by appending
?demo=<preset> to any URL. Same code path as the
ml-bot-test-mode header; opt-in via
BotDetection:TestModeQueryParam.
1. Risk-gated content (<sb-risk>)
High risk. If this were a real product page,
you'd be served the lite version and your form posts would face a
proof-of-work challenge. Wrapped in
<sb-risk min="High">.
2. Signal-driven variation (<sb-signal>)
Detected as a declared bot. If you're a verified crawler, you're allowed; otherwise the route handlers downstream will reject you.
3. Honeypot form (<sb-honeypot />)
This form contains three offscreen trap fields. Humans don't see them; bots fill them in. View source to confirm they're there.
4. Endpoint traffic shaping
The opening Razor view from the talk also wires up three minimal-API endpoints at the routing layer:
GET /api/data..BlockBots(): all bots refused. Try it.GET /sitemap.xml..BlockBots(allowVerifiedBots: true, allowSearchEngines: true). Try it.POST /api/login..BotPolicy("strict", blockThreshold: 0.5).
Tip: hit /api/data while demo mode is set to
scrapy or curl and watch it 403.