Every CAPTCHA you've ever solved was an admission that the internet has no good way to tell humans from bots. You clicked traffic lights for Google. You traced bicycles for hCaptcha. You waited for Cloudflare to decide you're real. Total nonsense (I'm apparently blind and can't find buses and bikes).
We built something that doesn't need any of that.
H33-BotShield uses SHA-256 proof-of-work instead of image puzzles. Your visitor's browser solves a cryptographic challenge in the background. No images. No checkbox. No tracking. No third party. The user never sees anything.
The Problem With Every Existing Solution
reCAPTCHA is Google's data collection tool. It loads a JavaScript bundle that sends behavioral telemetry to Google's servers — mouse movements, scroll patterns, browser fingerprints, cookies. Every website using reCAPTCHA is a Google surveillance endpoint that your users didn't consent to. If you're subject to GDPR, you probably need a consent banner just for the CAPTCHA.
hCaptcha swapped Google for different image puzzles. The tracking is reduced, but the friction is identical. Your users are still clicking grid squares. Screen readers can't solve them. Mobile users misclick constantly. Accessibility lawsuits against CAPTCHA-dependent websites are increasing every year.
Cloudflare Turnstile is invisible, which is better. But it's a proprietary black box. Cloudflare decides who's human based on signals you can't audit. If a legitimate user is blocked, you have no visibility into why. You're outsourcing a security decision to a company that also sells bot services to the other side.
Rate limiting punishes the wrong people. VPN users, corporate networks behind NAT, mobile carriers sharing IPs — they all look like "one IP, many requests" to a rate limiter. You block legitimate users while sophisticated bots rotate through residential proxy networks.
How Proof-of-Work Fixes This
The concept is simple: make each client prove they spent computational effort before they get access to a resource.
When a visitor loads a BotShield-protected page, the server issues a challenge: a random nonce and a difficulty level. The browser uses the Web Crypto API to search for a number that, combined with the nonce, produces a SHA-256 hash with the required number of leading zero bits.
At the default difficulty of 16 bits, this takes one to three seconds on a modern laptop or phone. The computation runs asynchronously in a background thread — it doesn't block the main thread, doesn't freeze scrolling, doesn't affect page interaction. The user literally never knows it happened.
The server verifies the solution in microseconds (checking a hash is trivial). If valid, it issues a session token that's good for one hour. Every subsequent request from that browser carries the token. No re-challenge until the session expires.
Why Bots Can't Win This Game
A single human solving a single challenge is trivial. But economics change at scale.
At difficulty 16, each challenge requires approximately 65,000 SHA-256 hashes. A bot farm sending 10,000 requests per second needs to solve 10,000 challenges per second — that's 650 million hashes per second just to keep up. And each solved challenge produces one session, not unlimited requests.
Now here's where it gets interesting. BotShield monitors request velocity per client and auto-adjusts difficulty:
- Normal (16 bits): Default. 1-3 seconds. Invisible to humans.
- Elevated (20 bits): Kicks in at 50 challenges per minute from the same source. Takes 10-30 seconds per challenge. Aggressive scrapers hit this wall.
- Maximum (24 bits): Kicks in at 200 per minute. Approximately 16 million hashes per challenge. Takes minutes. Effectively impossible at scale.
The cost to the attacker grows exponentially with each difficulty step. The cost to the defender stays constant — verification is always microseconds regardless of difficulty.
Integration: Pick Your Level
Level 1: One Script Tag (zero code changes)
Add this to any page. The script auto-runs on page load, solves the challenge, stores the session token in a cookie. Done. Works on WordPress, Shopify, static HTML, React, Next.js — anything with a
tag.Level 2: npm Package (for JS applications)
npm install @h33/botshield
import { protect, getToken, createProtectedFetch } from '@h33/botshield';
// Full flow: challenge → solve → store token
await protect();
// Get the token for custom requests
const token = getToken();
// Or wrap fetch to auto-include the token in every request
const safeFetch = createProtectedFetch();
const response = await safeFetch('/api/submit', {
method: 'POST',
body: formData
});
createProtectedFetch is the killer feature for SPAs. It wraps fetch so every outbound request automatically includes the X-H33-BotShield-Token header.
Your backend checks the token; your frontend code doesn't change.
Level 3: Server-Side Verification
For login forms, checkout flows, or any endpoint where you need server-side proof:
# Python
import requests
token = request.headers.get('X-H33-BotShield-Token')
result = requests.post('https://api.h33.ai/v1/botshield/verify',
json={"session_token": token})
if result.json()["valid"]:
process_request()
else:
return {"error": "Bot verification required"}, 403
// Node.js
const result = await fetch('https://api.h33.ai/v1/botshield/verify', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ session_token: req.headers['x-h33-botshield-token'] })
});
const { valid } = await result.json();
What BotShield Does Not Do
It does not fingerprint your users. It does not track them across sites. It does not send their data to a third party. It does not use cookies for tracking — only for storing the session token on that domain. It does not require JavaScript frameworks, browser extensions, or specific browser versions. It does not display visual puzzles, audio challenges, or interactive elements. It does not block screen readers, keyboard navigation, or assistive technology.
It computes hashes. That is all it does.
Privacy Architecture
Under GDPR, there is no personal data processed. The challenge nonce is random. The solution is a number. The session token is a cryptographic hash. Nothing identifies the person.
Under CCPA, there is no personal information collected.
Under ePrivacy, the session cookie is strictly necessary for the service. No consent banner required.
The legal analysis is simple because the technical architecture eliminates the data before the legal question arises.
The Comparison
Pricing
- Free: 10,000 challenges per month. No credit card. A small "Secured by H33.ai" badge appears.
- Pro ($49/mo): Unlimited challenges. Badge removed. Custom difficulty. Webhooks. Analytics dashboard.
What's Behind It
BotShield is built by H33.ai, a post-quantum cryptographic infrastructure company. The same engineering team that runs 2.17 million encrypted operations per second on production hardware. The PoW challenge nonces are signed with CRYSTALS-Dilithium (NIST FIPS 204) post-quantum signatures — meaning a bot cannot forge a pre-solved challenge even with a quantum computer.
That's probably overkill for bot prevention. But when you have post-quantum signing infrastructure already running, you might as well use it.
Try It
Product page: https://h33.ai/botshield
npm: npm install @h33/botshield
Technical deep dive: https://h33.ai/blog/h33-botshield-proof-of-work-bot-prevention
Live demo (watch the PoW challenge solve in real time): https://h33.ai/demo
I'm the developer — ask me anything in the comments.
Top comments (0)