Caputchin
Understanding Caputchin

Instrumentation

View as Markdown

Proof of work proves that effort was spent. It does not prove what spent it. A determined attacker with a farm of real browsers can grind through puzzles cheaply. Instrumentation is the second layer that closes that gap: it proves the work happened inside a genuine browser.

How it works

On every request, Caputchin generates a fresh, one-off JavaScript program and runs it in the visitor's browser. The program exercises machinery that only a real browser has, and reports back what it observed:

  • Browser API probes that check genuine browser functionality is present and behaves correctly.
  • Computation chains of bitwise integer operations.
  • DOM arithmetic that builds trees of elements, reads the values the layout engine computes for them, and tears them back down.

The trick is an asymmetry: a real rendering engine produces the right answers almost for free, while a headless or scripted runtime stubs these operations out, implements them incorrectly, or skips them for speed. The mismatch gives the visitor away.

Content-Security-Policy

Because the program runs eval in the visitor's browser, the page that embeds your widget must allow 'unsafe-eval' in its script-src Content-Security-Policy. There is no fallback for this: if 'unsafe-eval' is blocked, the program cannot run and verification fails. If your policy cannot allow it, turn instrumentation off for the key on its Security page, which drops the requirement at the cost of automated-browser detection (proof of work and any required game still run). See game sandboxing for the complete host-page policy.

Why it pairs with proof of work

The two layers cover each other's blind spots. Proof of work alone can be mined cheaply by real browsers; instrumentation alone could be faked by a script that never does the work. Together they raise the cost on two independent axes: proof of work proves effort, instrumentation proves environment.

Obfuscation

Because the program ships to the visitor, a motivated attacker could study it and try to pre-compute the answers. To make that harder, the program is obfuscated. A key's Security page exposes an Obfuscation level: turning it up makes the program harder to reverse-engineer, at the cost of more server-side CPU. The same signals back the Block automated browsers option, which rejects detected headless and WebDriver clients outright.

An honest limit

Instrumentation is not foolproof. Stealth browsers patch the tells it looks for, and the checks themselves note they can be beaten. It is one layer among several, strongest when stacked with proof of work and the rest of a key's security settings.

Proof of work

Previous

Gaming anti-cheat

Next

On this page

How it worksContent-Security-PolicyWhy it pairs with proof of workObfuscationAn honest limit