Client-side detection methods involving JavaScript (checking navigator.webdriver, canvas fingerprinting, or WebRTC leaks) are increasingly unreliable. Sophisticated bots, headless browsers with stealth plugins, and privacy-focused users often block or spoof client-side execution environments.

To build a robust security perimeter, engineers must rely on server-side detection. This approach analyzes the raw HTTP request, the TCP/IP stack, and the reputation of the connecting IP address before the application layer even processes the payload.

1. HTTP Header Forensics

Transparent and anonymous proxies often inject specific headers to manage traffic routing. While "Elite" proxies strip these headers, analyzing incoming request headers is the first line of defense with zero latency cost.

Key headers to monitor include:

Via
X-Forwarded-For
Forwarded
X-Real-IP
X-Forwarded-Proto

Python (Flask) Implementation

from flask import request, abort

def is_proxy_headers(headers):
    proxy_headers = [
        'Via', 
        'X-Forwarded-For', 
        'Forwarded', 
        'X-Proxy-ID', 
        'X-Scraper-ID'
    ]
    
    for header in proxy_headers:
        if header in headers:
            return True
    return False

@app.before_request
def block_proxies():
    if is_proxy_headers(request.headers):
        abort(403, description="Proxy traffic detected via headers.")

Note: This method produces false negatives against high-anonymity (Elite) proxies which scrub these headers entirely.

2. TCP/IP Stack Fingerprinting (Passive OS Detection)

Proxies act as intermediaries. When a user on a Windows machine routes traffic through a Linux-based proxy server (e.g., Squid on Ubuntu), the TCP packet characteristics often reveal the operating system of the proxy, not the user.

By comparing the User-Agent (Application Layer) against the TCP/IP parameters (Transport Layer), you can detect discrepancies indicative of proxy usage.

Key Metrics:

TTL (Time To Live): Windows usually defaults to 128; Linux/Unix usually defaults to 64.
TCP Window Size: distinct patterns exist for different OS versions.

Logic: If User-Agent contains "Windows NT 10.0" but the packet TTL is 50-64, the request is likely coming from a Linux-based proxy or VPN gateway, not the actual Windows client.

3. Active Verification: Port Scanning and rDNS

Active detection involves probing the connecting IP address.

Reverse DNS (rDNS): Perform a pointer (PTR) record lookup. Hostnames containing strings like vpn, proxy, tor, or generic cloud provider names (e.g., amazonaws.com for residential traffic) are red flags.
Port Scanning: Check the connecting IP for open ports commonly used by proxies (e.g., 8080, 1080, 3128).

Warning: Active port scanning is resource-intensive, slow, and can lead to legal complications or your server being blacklisted by ISPs.

4. The Deterministic Approach: IP Intelligence API

Manual header parsing and TCP fingerprinting require constant maintenance to avoid false positives. Furthermore, residential proxies (rotated IPs from real ISP customers) are indistinguishable via headers or OS fingerprinting because the exit node is a real user device.

The industry standard for detecting modern proxies—including residential and mobile 4G/5G proxies—is querying a dedicated IP intelligence database.

Node.js Implementation with IPASIS

Using an API offloads the complexity of maintaining massive blocklists and heuristic engines.

const axios = require('axios');

async function checkIP(ipAddress) {
  const API_KEY = process.env.IPASIS_KEY;
  
  try {
    const response = await axios.get(`https://api.ipasis.com/v1/${ipAddress}?key=${API_KEY}`);
    const data = response.data;

    // Check if IP is a proxy, VPN, or Tor node
    if (data.is_proxy || data.is_vpn || data.is_tor) {
      console.log(`Blocked connection from ${ipAddress}: ${data.threat_type}`);
      return false; // Block access
    }
    
    return true; // Allow access
  } catch (error) {
    console.error('IP Analysis failed:', error);
    // Fail open or closed depending on security posture
    return true; 
  }
}

FAQ

Q: Can I detect Tor exit nodes without JavaScript? A: Yes. Tor exit nodes are public knowledge. You can download the list of exit nodes and match the incoming IP against it server-side. However, using an API is more efficient as these lists change hourly.

Q: Why is server-side detection better than client-side? A: Client-side scripts (JS) execute in an environment controlled by the attacker. They can mock, hook, or strip the detection code. Server-side checks analyze the network reality that the attacker cannot easily alter without dropping the connection.

Q: What are 'Residential Proxies' and why are they hard to detect? A: Residential proxies route traffic through legitimate home Wi-Fi devices (often unaware they are part of a botnet). They have clean ISP reputations and no proxy headers. Only deep behavioral analysis or huge threat intelligence databases (like IPASIS) can identify them.

Secure Your Infrastructure with IPASIS

Don't rely on easily bypassed JavaScript checks. IPASIS provides real-time, enterprise-grade IP intelligence to detect VPNs, proxies, and Tor nodes with <50ms latency.

Get your free API key today and stop anonymous traffic at the gate.

Server-Side Proxy Detection: Identifying Traffic Without JavaScript