6 challenge types to detect and differentiate bot traffic from humans
SHA-256 brute-force: browser must find a number matching a server-generated hash. Tests computational ability and WebWorker support.
Invisible checks for navigator.webdriver, CDP leaks, Playwright/Puppeteer markers, plugin arrays, error stack shape.
Cross-checks UA vs platform, screen vs viewport, WebGL renderer vs OS, timezone vs language, canvas hash stability.
Mouse movement entropy, click jitter, keystroke dynamics, scroll behavior, event timing distribution. Requires interaction.
rAF cadence, performance.now() resolution, SHA-256 benchmark, setTimeout latency, worker parallelism, navigation timing.