loading...
the swiss army knife of bot prevention and verification.
drop in one script tag. brickwall handles the rest with proof-of-work challenges, and signed tokens. static-site and dynamic-site friendly. extremely easy-to-use and customizable to fit your needs.
<script src="https://brickwall.onrender.com/js/protect.min.js" data-site="YOUR_KEY"></script>
static sites, jamstack, single-page apps — if it serves html, brickwall works.
the script checks for a valid signed token in localStorage. already verified? pass through instantly — nothing shown, no delay.
no valid token — visitor is redirected to a challenge page. browser fingerprinting + a short proof-of-work puzzle. under two seconds for real users.
pass the challenge, receive a signed jwt. bounced back to where they came from with the token in the url. stored locally, lasts 24h by default.
repeated failures, abnormal timing, known bad ip ranges — all handled server-side. your site sees none of it.
no sdk, no complicated setup. just a script tag and a dashboard.
client script is under 2kb. it won't touch your lighthouse score.
verification state lives in a signed jwt. your site never calls a database.
ip-level limits built in. bots hammering the challenge endpoint get progressively longer timeouts.
github pages, netlify, s3, cloudflare — anything that serves html works.
verified visitors pass silently every time. no captchas, no checkboxes, no hoops.
every attempt logged — country, detection type, pass/block status. real-time.
manage multiple sites from one dashboard. each gets its own key, log, and settings.
allow crawlers, block tor, flag vpns. set token ttl. toggle per site.
mit licensed. self-host it, fork it, read every single line.
real traffic is complicated. here's how brickwall handles the edge cases.
| scenario | what happens | user sees anything? |
|---|---|---|
| search engine crawlers googlebot, bingbot, etc. | allowed if enabled, crawlers auto-bypass the challenge and get a token immediately. logged as "crawler". | no |
| tor exit nodes known tor ip ranges | blocked if tor blocking is on, ip is denied before the challenge. shows an access denied message. | access denied page |
| vpn / datacenter ips known hosting asns | flagged logged with detection type. configurable to block outright or just flag. | challenge (not blocked by default) |
| headless browsers puppeteer, playwright, etc. | blocked navigator.webdriver check and phantom/nightmare artifact detection on the challenge page. | verification failed page |
| javascript disabled noscript users | graceful noscript fallback message explains that js is required. | noscript message |
| challenge timeout user walks away mid-challenge | expires challenge ids expire after 2 minutes. user is re-challenged cleanly on retry. | no |
| instant solve pow solved in <200ms | blocked timing check flags suspiciously fast solves. a human can't solve it that fast. | verification failed page |
| token expired returning visitor, ttl elapsed | re-challenged expired token cleared, visitor sent back through the challenge flow. | challenge page (transparent) |
one plan, no surprises. usage-based pricing coming post-beta.
no mailing lists. no sales calls. register and you're in.