Client side proof of work might be enough now but it won't last: solve challenge, reuse cookie.

Ja4 fingerprinting is a new-ish in interesting approach, not for blocking but as an extra metric to validate trust on requests