Challenges¶

In order to prevent bots and automatic scrapers from accessing your site, you can either utilise Auto-Challenging or issue a CHALLENGE action in a rule.

Depending on your exact configuration, this will present a challenge to the visiting user. Our challenges are designed to be executed automatically without any user interaction for a maximum of accessibility and positive user experience. In most cases, the user will only see a quick challenge page for 1 or 2 seconds and will then be redirected to the requested page.

Passing Cookie¶

rescaled WAF will issue a passing cookie to the user that includes a cryptographically signed testation of which kind of challenge in which complexity the user has successfully solved.

Depending on the subsequent time-to-live (TTL) of this cookie, the user won't be presented with the challenge again for the configured period of time.

Challenge Types¶

As of today, three different challenge types are supported. You can either configure which challenge type and difficulty to use directly in a rule issuing a challenge, or you can configure the auto-challenge thresholds with the respective type and difficulty.

Available for configuration are the following challenge types (from easies to hardest):

• metarefresh
• preact
• pow

While we chose to not disclose the technical specification of these challenges, we will provide a more detailed explanation on when to use which challenge type below.

Metarefresh¶

This challenge is the easiest kind of challenge, and it works with all browsers, even if they don't support JavaScript. It's only use case is to prevent highly automated CLI-based scrapers and bots from accessing your site.

It will not be able to prevent headless browsers from accessing your site which a majority of more complex bots are using these days. However, this kind of challenge introduces the least amount of friction for the user as it's nearly impossible to fail for a human-controller browser.

Preact¶

This challenge requires JavaScript to be enabled in the visitor's browser. It utilises advanced functionality of the lightweight JavaScript framework Preact to execute the challenge within the browser.

This kind of challenge will lock out any visitor with disabled JavaScript. Modern headless browsers will still be able to solve the challenge. However, it's expected to slow down the initial page load and make it more likely for automated scrapers to fail.

POW¶

This challenge utilises a Proof of Work mechanism. It's a cryptographic challenge that requires the visitor to solve a mathematical problem in order to access the requested page.

It requires higher computational power and more complex JavaScript execution capabilities. While this challenge also won't prevent automated scrapers utilising headless browsers from accessing your site, it makes the process much more expensive and time-consuming for the unwanted guests so it eventually becomes uneconomical for most scrapers.

Legitimate visitors are expected to solve the challenge within a few seconds (depending on your configured complexity). JavaScript must be enabled in the visitor's browser for this challenge to be executed.

Roadmap¶

We're currently working on a fourth challenge type that incorporates a real CAPTCHA mechanism alongside browser fingerprinting. This approach will most likely be able to detect a majority of standardized bots and headless browsers without specific fine-tuning.