The application should make itself difficult to scan by requiring a valid session with each request and limiting the rate of requests for that session