It seems inevitable, but in the mean time, that's vastly more expensive than running curl in a loop. In fact, it may be expensive enough that it cuts bot traffic down to a level I no longer care about defending against. Like GoogleBot had been crawling my stuff for years without breaking the site. If every bot were like that, I wouldn't care.

Cool, if they're running full blown chromium maybe the next step can be mining bitcoin on any pages served to bots.

Even that functions as a sort of proof of work, requiring a commitment of compute resources that is table stakes for individual users but multiplies the cost of making millions of requests.

AFAIK you can bypass it with curl because there's an explicit whitelist for it, no need for a headful browser.

Well it's a race, just like security. And as long as anubis is in the front, all looks bright