AppEsteem web-compliance test harness

This site is a controlled destination operated by AppEsteem Corporation for evaluating how anti-bot, anti-fraud, and category-classification systems handle a wide range of request shapes. Every endpoint here is a passive sink: forms are accepted but never republished, ad-clicks never reach a real ad network, listings never go live. The site exists so we can observe the behavior of any intermediary between a client and this destination, without involving any real third-party victim.

How the simulation works. Each endpoint that an intermediary would see in real traffic — login submissions, rate-limited responses, comment/listing/like POSTs, ad-click trackers — responds with HTTP shapes that match what a real production site would send. Login forms 302-redirect to home with a session cookie; rate-limited endpoints return real 429s with Retry-After; ad-click trackers 302 to a landing URL. There is no diagnostic JSON sitting on top of these responses — if there were, the intermediary's behavior couldn't be measured honestly. The diagnostic endpoints (request reflectors at /api/echo/*, fingerprint at /fingerprint/data, status/redirect/delay utilities) are explicit testing tools; their JSON output is the contract. To verify what reached the server after submitting a form, look at your browser's network tab or the request log.

Operated by: AppEsteem Corporation.   Copyright: © AppEsteem Corporation. All rights reserved.   Terms / Privacy: see appesteem.com.

Test categories

The sub-pages below cover typical Acceptable-Use-Policy "Customer shall not…" prohibitions (login / signup / mass-posting / engagement / ad-fraud / impersonation / streaming / etc.), additional consumer-harm scenarios, and a battery of request-reflector and request-shaping utilities. See /usage for a table mapping each intermediary protection (rate-limit reaction, credential-stuffing detection, click-fraud detection, etc.) to the exact endpoint that exercises it. To automate testing, grab the betterbrowsing-tester skill bundle — drop-in instructions plus a baseline-probe script.

Credential round-trip / account creation

• Login form variants
  Multiple form shapes (GET, POST, password-typed field, no-password-type field, multi-step, renamed fields) — measures whether the intermediary blocks password-typing or POST submissions.
• Account signup form
  Fake-accounts test sink — does the intermediary intercept POSTs to a sign-up endpoint?

Volumetric / rate testing

• /api/health  ·  /api/fail  ·  /api/ratecap?fail_pct=N (returns 429 N% of the time)
  Configurable failure-rate endpoint. Returns a real 429 Too Many Requests with Retry-After: 30 for fail_pct% of hits (default 50%), 200 for the rest. The 429s are real-shaped so an intermediary can detect rate-limit pressure and react.

Mass posting / spam and engagement

• Comment POST sink
  Repeated identical-body POSTs — measures spam-shape detection.
• Like / share endpoint
  Bulk-engagement POST sink.
• Classified-listing form
  Classified / marketplace listing sink.

Ad fraud

• Simulated ad page + click tracker
  Self-hosted ad creative + click-tracker URL. No real ad-network billing occurs.

Impersonation / fingerprint

• Request fingerprint viewer
  Returns every header, cookie, and IP-chain field the server sees. Use to compare what an automation tool exposes vs. a real browser.

Cookies

• Cookie test menu
  Client-side set / clear / SameSite via document.cookie. HttpOnly demo via the __session cookie that /login/post issues — visible to the server but not to JS.

OSINT / scan targets

• Common-path OSINT bait
  /admin, /.env, /.git/config, /wp-login.php, /server-status, /phpmyadmin — measures whether an intermediary passes scan-shaped traffic.

Request reflectors & utilities

• /api/echo/headers  ·  /api/echo/ip  ·  /api/echo/user-agent echo
• /api/echo/get  ·  POST /api/echo/post echo
• /api/status/<code>  ·  /api/redirect/<n>  ·  /api/delay/<secs> utility