Last updated: 2026-02-24 16:58 UTC
Deploy on Server
This is the practical path for most teams.
Minimal deployment
- Copy
.env.exampleto.env - Set required secrets
- Run compose
cp .env.example .env
docker compose up -d
Required values
BOTDETECTION_SIGNATURE_HASH_KEYBOTDETECTION_CLIENTSIDE_TOKEN_SECRETPOSTGRES_PASSWORD(if using database services)
Full production template (server)
Use this as a baseline when you want response PII masking only for malicious traffic while keeping stealth throttling as default.
{
"BotDetection": {
"BotThreshold": 0.7,
"DefaultActionPolicyName": "throttle-stealth",
"BotTypeActionPolicies": {
"Tool": "throttle-tools",
"MaliciousBot": "mask-pii"
},
"ResponsePiiMasking": {
"Enabled": true,
"AutoApplyForHighConfidenceMalicious": true,
"AutoApplyBotProbabilityThreshold": 0.9,
"AutoApplyConfidenceThreshold": 0.75
}
}
}
Equivalent .env overrides for the website container/process:
BOTDETECTION_ACTION_POLICY=throttle-stealth
BOTDETECTION_RESPONSE_PII_MASKING_ENABLED=true
BOTDETECTION_RESPONSE_PII_MASKING_AUTO_APPLY=true
BOTDETECTION_RESPONSE_PII_MASKING_AUTO_APPLY_BOT_THRESHOLD=0.9
BOTDETECTION_RESPONSE_PII_MASKING_AUTO_APPLY_CONFIDENCE_THRESHOLD=0.75
Verify deployment
docker compose ps
docker compose logs --tail 100
curl http://localhost/health
curl http://localhost/bot-detection/health
Recommended rollout
- Deploy in detect-only mode
- Observe for at least 24 hours
- Tune thresholds and policies
- Enable stronger actions gradually
Production hardening checklist
- Configure and rotate detection secrets
- Restrict dashboard access (
/_stylobot) by policy/network - Send logs/metrics to your observability platform
- Backup persistence stores where used
- Define incident response for false-positive spikes
Change-management pattern
- Create baseline metrics (bot %, challenge rate, block rate, false positives).
- Adjust one policy dimension at a time.
- Validate on a fixed time window before next change.
- Promote configuration by environment.