Security
Difficulty scaling
Difficulty scaling controls how computationally expensive the Proof of Work challenge will be.
Factors
| Name | Dynamic scaling | Notes | Availability |
|---|---|---|---|
| Hosting ASN | no | Accidentally includes most VPNs | Free+ |
| Abusive ASN | no | Business ASN with abusive traffic | Free+ |
| IP reputation | no | IP reputation is static and using Cloudflare’s Threat Score 1 | Free+ |
| IP scaling | yes | IPs are reduced to /24 (or /48 for IPv6) | Professional+ |
| ASN scaling | yes | Business+ | |
| Country scaling | yes | Business+ | |
| User-Agent scaling | yes | Enterprise | |
| Fingerprint scaling | yes | Device fingerprint obtained through Javascript | Enterprise |
Dynamic scaling
Dynamic scaling will increase the difficulty when a lot of traffic from the same source is received.
These counters are always one-way hashed in a non-reversable way and are deleted after at most 10mins of inactive use.
Hashed value
The value is hashed with a static salt and a dynamic one that depends on the data center the request is being handled in and the current hour. That means the same value gets hashed differently depending on the data center and the hour.
SHA256(salt + datacenter + hour + value)
The static salt is also rotated on regular intervals.
This is designed to protect user data even in case of a compromise of the data storage provider and to further anonymize everything we store.
Fingerprint
We generate a fingerprint of the device running the challenge by generating a random canvas through Javascript. As difficulty scaling does not require long-time persistence, the parameters for generating the canvas are changed frequently (around every hour) to preserve user privacy.
Canvas fingerprinting by itself is only useful for identifying a device, not a user.
Additionally, the fingerprint is too volatile to be used for any kind of persistent tracking and unable to identify a user.
Challenges
After calling pcaptcha.render the
embedded widget iframe will run multiple challenges to probe the user’s browser
for automation software and make
attacks computationally expensive.
Proof of Work
The Proof of Work challenge is a CPU intensive challenge that is designed to make attacks computationally expensive.
The computational cost depends on variable difficulty.
The Proof of Work challenge will detect if the runtime supports Web Workers and WebAssembly to choose an optimized implementation to achieve greater performance on modern browsers.
Workers allows to parallelize the challenge across multiple threads and CPU cores, whereas WebAssembly allows running an optimized implementation which is ~30% faster.
Automation Detection
All plans include basic protection against bots and detections against automation tools, browser/hardware spoofing and captcha farms.
Higher plans receive more comprehensive protection and insights.
Footnotes
-
Only available when using a region powered by Cloudflare. ↩