nonstress CAPTCHA

Easy to use, and so secure Anti-Bot serviceCopied!

There’re no stresses for visitors and developers, let give the stresses for bad bots!

UsageCopied!

You just have to add these tags in your page:

<script src="https://hamutan86.pythonanywhere.com/nonstress/nonstress.js" async defer></script>

It will automatically create a CAPTCHA token when the visitor open or refresh the page. And It’s completely invisible, doesn’t give stresses for visitors.

You can fetch the CAPTCHA token with:

nonstress.getToken();

or, you can still use the legacy way:

document.querySelector('input[type="nonstress"]').value;

when CAPTCHA challenge is incomplete, it will return just ““. (empty str)

if somehow CAPTCHA challenge failed, it will return “Failed“.

If you got a string like “rsiohabadxbfkvfk.PcOgasOdV8K1RcKnPcK…”, it is the CAPTCHA token.
You have to send the CAPTCHA token to the server-side.

In server-side, you can validate CAPTCHA token with:

POST https://hamutan86.pythonanywhere.com/nonstress/validate

{
  "token": "CAPTCHA token that received from client-side"
}

If token is valid, the API returns like:

{
  "error": "",
  "pass": true,
  "risk_rate": "clean|low|medium|high|bot(pass:false)", # human usually gets clean or low
  "visitor_data": {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64...",
    "ip": "8e550c45b5c5fe8f00c781033c..." # hashed with sha-256 for privacy
  }
}

visitor’s ip is hashed with sha-256 for privacy (it isn’t salted so you can still use it for validation). you can use visitor_data for validate that is the person completed CAPTCHA and the person requested to your server are same.

or if token is not valid, the API returns like:

{"error":"token doesn't exist","pass":false}
{"error":"expired token","pass":false} # token will expire on 5 minutes