BotID Incorrectly Flagging All Traffic as Bot

Help
1

Current behavior: All traffic flagged as bot by botid.
Expected behavior: Humans should be flagged as humans.

Running a nuxt app. Using several nuxt core team modules will include below. Basically followed the nuxt setup from the botid docs exactly as listed, but all traffic is being flagged as bot traffic when attempting to access protected api routes. Current setup is below:

//nuxt.config.ts
import { defineLocalBusiness } from 'nuxt-schema-org/schema'

export default defineNuxtConfig({
  modules: [
    'botid/nuxt',
    '@nuxt/eslint',
    '@nuxt/image',
    '@nuxtjs/seo',
    '@nuxt/ui',
    'nuxt-llms',
    '@nuxt/content',
    '@vueuse/nuxt',
    'nuxt-og-image',
    '@nuxt/fonts',
    '@pinia/nuxt',
    'pinia-plugin-persistedstate/nuxt',
    '@nuxtjs/algolia',
    'nuxt-vitalizer',
    '@nuxt/scripts',
    'nuxt-security',
    
  ],
...

//server/api/contact/test.post.ts
import { defineEventHandler, readValidatedBody, createError, setResponseStatus, getRequestIP } from 'h3';
import { checkBotId } from 'botid/server';

export default defineEventHandler(async (event) => {
    const headers = getRequestHeaders(event);
    console.log('Received Headers:', headers);
    const verification = await checkBotId();
    console.log('BotID Verification:', verification);
    console.log('Incoming Request Headers:', headers);
    if (verification.isBot) {
        console.warn('Bot traffic detected. Logging for now...');
        /* throw createError({
            statusCode: 403,
            statusMessage: 'Access denied',
            message: 'Bot traffic is not allowed to submit this form.'
        }); */
    } else {
        console.log('Human traffic verified. Proceeding with form submission.');
    }
    return verification;
});


//app/plugins/botid.client.ts
import { initBotId } from 'botid/client/core';
 
export default defineNuxtPlugin({
  enforce: 'pre',
  setup() {
    console.log('Initializing BotId plugin...');
    initBotId({
      protect: [{ path: '/api/contact/submit', method: 'POST' }, { path: '/api/contact/test', method: 'POST' }],
    });
    console.log('BotId plugin initialized.');
  },
});

I have tried manually setting the headers by using:

const headers = getRequestHeaders(event);
console.log('Received Headers:', headers);
const verification = await checkBotId({ advancedOptions: { headers: headers }});

I have tried asking gemini, claude, vercelā€™s support ai, r/nuxt, r/vercel. All with no success. Looking for someone who can help get this configured properly. I am hosting directly on vercel.

landworks-website.vercel.app
nuxt

4

In further debugging, there is a generic ā€˜Errorā€™ log being logged to the console from c.js, which appears to be the botid script running.

The header being sent via x-is-human is below:

{"b":1,"v":0.05743024747801701,"e":"eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..PfixDu6TLn950CBO.BQ1v9b17e5tWpNHWdANY0oFMrcLmQwJcoDz3sPjrC9etwWNYV3gIVcm6BX4A67cOJjRuQKVEs7LgFmaY4dkoRr-fuS0lRsJH6UNkpggbJHe7kaCe77tgOzA4wvvr2ROgwYuS1JmwaBVgtgLNUp6N-AmLejennxaG1AOTzJMGqsX8Vb9Xyhc7IFZO7criJnUsNPwUcKYbqaE5X-nCFa8MleyGvfFDR6klVVeRVdlkhuqhOCPb73CmHtL2lGdRPHnetj1PnTQcrwcE43ZpgR-JQydytchIZiJ-uqGSxCsyuW_RuKL-qWiSwG4LU03tii4CbI6Ca9e7bBf4hJ1zgGYiiJA11le_DDj2u3ZWi_sLIR5oE9HH0X3WcZmW1Fh1DOqrdibqtDzV2XuWXJhfDfpurp6Egf1sooNJT-htc6esrPBCWIRybUORE88k_QeHNedCJ5Cza_SOwsU0wwIfJ89r2QgFWJBq7GtHBbnjbEvjj54GgTqJt-KgAcUbsC4.PiRHp2VlZzPC2rUwJrmU7g","s":"tVEiLaAg/LINxjTemJiaoTRgffGMQs2CpMM58xzI44ZID7Be2+9UN9/I/V/EWnAcVndrftkcCdaSHoh5teGwiGSGzi8N5lacwEnTHdmZIKSdF6/SAp2bliLuDphw6Xlui49wyuMVF2w6w6Y3yum1oSVbGgjWRNgLq/XFXTadC7g5Y+M0AIEmLPq4XzrgIfMKGtxMYXnScOMv0DlAXLE/OQVhdGi19pgdY5jjYgs7flPngY39/BdUO6dy0w8ZjCOPwGnTgMrM2ccm4m4xGDzJrO+R13OBxYn4EA7h+A/bpVeAg58=","d":0,"vr":"3"}

I am guessing the ā€œbā€:1 indicates a bot score?

Iā€™d love to see some additional documentation on botid, or a debugging tool to submit such a header to see the result.

Additional debugging I have tried:

  1. Disable the nuxt security module completely
  2. disable ssr
  3. remove enforce: pre from nuxt plugin definition
  4. create an empty repository with the basic nuxt starter and a simple form: still incorrectly flags all traffic as bot
    1. repo: GitHub - ajarshem/nuxt-app
5

Pinging @quuu, I see you were very helpful diagnosing a botid error in this thread. If you are available to assist, I have been racking my brain on this for a solid day and a half now. Seems to be an issue with botidā€™s nuxt implementation as far as I can tell.

1 Like
7

hey @ajarshem - Just dug into things a bit - the root issue is that on the BotID side - we expected all caps POST' GET DELETE OPTIONS but your app looks to be doing lowercase post

This is definitely something we need to support, and as a result I cut a new package version: 1.5.9 that allows any casing of pOsT or GeT and itā€™ll all work, not just uppercase.

Please give botid@1.5.9 a try and let me know!

2 Likes
8

Thanks for the info! And for the update!

Really sorry to be a bother, but unfortunately, after upgrading the package and changing my ā€˜postā€™ to ā€˜POSTā€™ just to be safe, I still seem to be getting flagged as a bot in my simple testing app. Iā€™ve cleared cache/cookies, tried other browsers, tried my mobile device - all return isBot:true.

image
image3454Ɨ620 74.5 KB

I think whatā€™s really throwing me off is the ā€œbā€:1 field within the x-is-human header. Iā€™m guessing that is some sort of bot score where 1 indicates bot? Am I being flagged as a bot on the client side before the request is even made?

Thanks!

9

@quuu, I went ahead and stripped out everything, even nuxt/ui to go as barebones as possible in case something was causing a conflict. It seems that either I am a bot and have become self aware enough to not realize it or something with the botid nuxt module is having troubles. Not a huge deal, I can fall back to a recaptcha or turnstyle or something, but I really like the concept of botid. Thanks again for the help so far!

10

Hey @ajarshem - apologies for the delayed response - I dug very deep to figure out that thereā€™s a bug in our Nuxt module code. The rewrites that are necessary for BotID arenā€™t being registered correctly in the Nuxt module. Iā€™m working with the Nuxt team to figure out a longer term fix, but to fix it right now, you can get BotID to work on your Nuxt app by using the redirects for Other Framework via a vercel.json Get Started with BotID.

CleanShot 2025-10-21 at 13.43.40@2x
CleanShot 2025-10-21 at 13.43.40@2x1390Ɨ1452 222 KB

1 Like
11

@quuu Amazing! That works perfectly, thank you for taking the time to look into this. This is an incredible level of support and I seriously appreciate it. Iā€™ll stay tuned to see what the nuxt team says about the nuxt module, but for now using the rewrites in vercel.json is working just fine. Thanks again!

1 Like
12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.