Anubis is great. If you haven't heard of it, it's a Proof-of-Work bot protection tool that forces every client — including headless browsers — to solve a CPU challenge before accessing your site. It's been blowing up lately, with major projects like GNOME and FFmpeg adopting it to fight AI scrapers.
There's just one problem: Anubis requires a reverse proxy. That means if your site is on Cloudflare Pages, Netlify, Vercel, or GitHub Pages, you simply can't use it.
I ran into this exact problem with my own blog. I wanted PoW protection, but I'm on Cloudflare Pages — no server, no reverse proxy, nothing. So I built Albireo.
How it works
Instead of a reverse proxy, Albireo runs entirely on edge functions:
-
Cloudflare Pages → Pages Functions (
_middleware.ts) - Netlify → Netlify Edge Functions
-
Vercel → Next.js Middleware (
middleware.ts)
When a request comes in, the edge function intercepts it and checks for a valid PoW token in the cookie. If there's no valid token, it serves a challenge page. The client solves the challenge using Web Workers (multi-threaded, so it's faster for real users), then gets a signed HMAC token and is redirected to the original page.
The whole thing is serverless — no database, no backend, no infrastructure to maintain.
What it protects against
To be honest about the limitations (as the README says): Albireo is designed to deter the vast majority of automated crawlers, especially bots scraping static content. It is not intended to defeat highly resourced or targeted scraping operations.
What it does stop well:
- JS-less bots (they can't solve the challenge at all)
- Headless browsers running at scale (PoW makes mass scraping expensive)
- Basic scrapers that don't handle cookies
SEO bots (Google, Bing, etc.) are whitelisted by default, so your search rankings won't be affected.
Comparison
| Albireo | Anubis | Cloudflare Free | Cloudflare Pro+ | |
|---|---|---|---|---|
| Cost | Free | Free | Free | $20–200+/mo |
| Requires server | ❌ | ✅ | ❌ | ❌ |
| Works on Netlify | ✅ | ❌ | ❌ | ❌ |
| Works on Vercel | ✅ | ❌ | ❌ | ❌ |
| Proof-of-Work | ✅ | ✅ | ❌ | ✅ |
| Slows headless browsers | ✅ | ✅ | ❌ | ✅ |
| Open source | ✅ | ✅ | ❌ | ❌ |
Cloudflare's free Bot Fight Mode relies on User-Agent and IP heuristics — easy to bypass. Albireo forces real computation regardless of how sophisticated the bot is.
Setup (Cloudflare Pages — 3 steps)
- Copy the
functionsfolder to your project root - Change
SECRET_KEYin_middleware.tsto a random string - Push and deploy
That's it. If you don't have mascot images, it automatically falls back to emoji indicators (😐 / 😊 / ❌), so it works out of the box with zero assets.
Netlify and Vercel setups are equally simple — check the README for details.
Live demo
My blog is running Albireo right now: leaftechblog.cloudns.biz
First visit will show you the challenge page. Subsequent visits within the TTL window skip the challenge automatically.
GitHub: github.com/51511/Albireo
Feedback welcome — especially if you run into issues on Netlify or Vercel, those are harder for me to test than Cloudflare Pages.
Top comments (0)