I want to add an additional roadblock in my application to prevent automating it via javascript, specifically when the automated requests are being done via XMLHttpRequest from any of the popular browsers.
Is there a reliable tell-tale sign of a XMLHttpRequest that I can use in ASP.NET?
And I guess the other related question is, is it hard for XMLHttpRequest to appear to be an ordinary human driven request? Because if it is, then I guess I’m on fools errand.
UPDATE: I might be phrasing the question too narrowly. The goal is to detect : code written by someone else, not submitted by a ordinary browser, might be a bot, might not be from a my intranet customers, etc. So far XHR and .NET WebRequest requests come to mind.
You could always use a CAPTCHA to ensure that a human is responsible for submitting the request. recaptcha.net is free and helps to digitize books.
Edit:
If you know what type of malicious behavior you are trying to prevent, you could develop simple algorithms for detecting that behavior. When that behavior is detected you could challenge the client with a CAPTCHA to ensure that a human is responsible. This approach is starting to become common practice. Take a look at this post on this topic.