Equip BridgeDB with anti-bot mechanism
BridgeDB sees many bot requests. The ones I've seen cycle over exit relays to fetch several bridge types (obfs2 (!), obfs3, obfs4, scramblesuit, and vanilla) from BridgeDB's HTTPS interface. Interestingly, they get most captchas right.
We don't know who's operating these bots or what they are doing with their bridges but we should make BridgeDB more resistant to these attacks. Let's add a mechanism that allows us to configure request headers that BridgeDB should ignore, e.g., requests whose user agent contains curl.
Ideally, instead of BridgeDB responding "bots aren't allowed to get bridges," we could serve an empty response, or a decoy bridge whose only purpose is to find out what the bot operators are doing with it.