The favicon signal
Real browsers automatically fetch/favicon.ico (and icons like
/apple-touch-icon.png) when they render a page. Headless scrapers almost never
do. Rankly uses that difference as a lightweight signal of a real human:
- When a request with a browser user-agent fetches a favicon, that’s strong evidence a real browser rendered the page.
- These favicon fetches are tracked as a humanity signal, not counted as page traffic.
- If a suspicious request comes from an IP that also fetched a favicon, the suspicious request is cleared as human, because the favicon proves a real browser was there.
User-agent coherence
Modern browsers produce user-agents that are internally consistent. Rankly checks for tell-tale signs that a user-agent was forged or comes from an old automation library, and flags those requests as disguised:| What Rankly catches | Why it’s suspicious |
|---|---|
| Not a real browser | A modern browser user-agent always starts with Mozilla/5.0. Missing it usually means a forged or very old client. |
| Dead browser | Internet Explorer (MSIE / Trident) reached end of life in 2022. Near-zero real users remain. |
| Very outdated Chrome or Firefox | Modern browsers auto-update within days of a release. A version more than two years old is almost always forged or an old headless engine. |
| Very outdated Android | Android below 9 has effectively no real-world share. |
| Fake OS details | Since 2023, browsers send reduced, fixed OS tokens for privacy (for example Windows NT 10.0, Mac OS X 10_15_7, Android 10; K). A user-agent reporting anything else is incoherent. |
How it reads in your dashboard
Disguised hits flagged
The count of requests caught wearing a browser’s clothes but failing a
coherence check, broken down by reason.
Cleared as human
Flagged requests that were cleared because the same IP also fetched a
favicon, proving a real browser.
This is a defense-in-depth layer. It works alongside
identity verification: verification proves a known
vendor is who it claims to be, while the humanity check catches anonymous bots
trying to pass as ordinary visitors.