Web Dev Tools
Categories

Bot Protection / CAPTCHA

Keeping automated traffic out — login, signup, contact forms, scrapers.

Invisible / low-friction CAPTCHAs

  • Cloudflare Turnstile — free, no Google dependency, mostly invisible (managed challenge), GDPR-friendly. The default for new projects.
  • hCaptcha — privacy-friendly Google reCAPTCHA alternative; free tier; pays out for Bitcoin / image labeling on the paid plan.
  • friendlyCaptcha — proof-of-work in the browser; no images; EU-hosted; paid only at this point.
  • Arkose Labs (FunCaptcha) — gamified, used at high-stakes signup flows; paid; brought down to "free trial" tiers occasionally.
  • reCAPTCHA v3 (Google) — score-based, invisible; still around, less recommended due to Google dependency and shrinking accuracy.

Per-form / per-action

  • Honeypot fields — invisible-to-humans inputs; trivial to add, blocks ~80% of basic bots for free.
  • Time-to-submit checks — bots fill forms in < 1s; reject anything under, e.g., 1.5s.
  • Origin / referer checks — basic; layered on top of everything else.

Bot detection / fingerprinting

  • FingerprintJS / Fingerprint Pro — device identification; free open-source core, paid pro tier.
  • Castle, HUMAN Security, DataDome, PerimeterX — commercial bot management; pricey.
  • Cloudflare Bot Management — free tier covers basic bot scoring; advanced is a paid Cloudflare add-on.

Anti-AI-scraper specifically

  • Anubis (Xe Iaso) — free, open-source proof-of-work challenge; popular in 2026 for blocking AI training scrapers.
  • Cloudflare's "Block AI bots" toggle — free, one-click in the Cloudflare dashboard.
  • robots.txt + ai.txt — documented but often ignored; layer with the above, don't rely on it alone.

Account-takeover / credential stuffing

  • Have I Been Pwned (HIBP) API — check submitted passwords against breaches; free for the password endpoint.
  • zxcvbn — password strength scoring; client-side.
  • WebAuthn / Passkeys — the long-term answer; see Auth.

Pick this if…

  • Default form CAPTCHA: Cloudflare Turnstile.
  • You want "no Google": Turnstile or hCaptcha.
  • High-stakes signup (financial / accounts at risk): Arkose + FingerprintJS Pro.
  • Block AI scrapers: Anubis or Cloudflare's AI-bot toggle.
  • Cheapest first defense: honeypot + time-to-submit + Turnstile.

Previous

Rate Limiting

Next

Secrets Management

On this page