HackerTrans
TopNewTrendsCommentsPastAskShowJobs

cport1

no profile record

Submissions

[untitled]

1 points·by cport1·há 11 dias·0 comments

[untitled]

1 points·by cport1·há 2 meses·0 comments

[untitled]

1 points·by cport1·há 4 meses·0 comments

[untitled]

1 points·by cport1·há 4 meses·0 comments

[untitled]

1 points·by cport1·há 4 meses·0 comments

GH Action analyzes changes, checks behavior change and generates Playwright test

github.com
2 points·by cport1·há 4 meses·0 comments

FCaptcha – A modern CAPTCHA system designed to detect everything

github.com
11 points·by cport1·há 4 meses·3 comments

[untitled]

1 points·by cport1·há 4 meses·0 comments

[untitled]

1 points·by cport1·há 5 meses·0 comments

Show HN: An Internationalization GitHub Action to Replace Crowdin with LLMs

github.com
1 points·by cport1·há 6 meses·1 comments

[untitled]

1 points·by cport1·há 6 meses·0 comments

[untitled]

1 points·by cport1·há 6 meses·0 comments

[untitled]

1 points·by cport1·há 6 meses·0 comments

[untitled]

1 points·by cport1·há 6 meses·0 comments

[untitled]

1 points·by cport1·há 6 meses·0 comments

[untitled]

1 points·by cport1·há 6 meses·0 comments

[untitled]

1 points·by cport1·há 6 meses·0 comments

[untitled]

1 points·by cport1·há 6 meses·0 comments

[untitled]

1 points·by cport1·há 6 meses·0 comments

[untitled]

1 points·by cport1·há 6 meses·0 comments

comments

cport1
·há 4 meses·discuss
-Detects only new/changed strings and translates them (no redundant API calls)

-Supports XLIFF 1.2, XLIFF 2.0, and JSON (flat + nested)

-Handles ICU MessageFormat plurals with CLDR rules for 20+ languages

-Commits translated files back to your repo automatically

-Works with Anthropic Claude, OpenAI, or self-hosted Ollama
cport1
·há 4 meses·discuss
You're right that most of these signals are spoofable in isolation. FCaptcha doesn't make pass/fail decisions on any single signal. It's weighted ensemble scoring across ~50 signals, where the cost of spoofing all of them simultaneously is the actual defense.

Addressing a few specific ones:

PoW CPU cost: Difficulty is adaptive — 4 for residential IPs, 6+ for datacenter. On modern hardware that's ~200-800ms. For 1M users/day that's ~55-220 CPU-hours total, distributed across clients. It's comparable to what Cloudflare Turnstile does.

Keyboard-only users: Already handled. If keyEvents >= 2 and totalPoints === 0 (tabbed + Enter/Space), all mouse-based detections are skipped. No false positives on keyboard users.

  "Can be recorded/replayed": signals are SHA-256 hashed and bound into the PoW input before solving. You can't solve PoW first then attach recorded signals... the hash won't match. Replaying old signal sets also fails because each challenge has a unique nonce.
Micro-tremor at 125Hz: Fair point... low polling rate mice produce less granular data. It's weighted low and only contributes when data is available. Not a gatekeeper.

CDP userGesture: true: Good catch. We detect CDP-specific artifacts (Runtime.evaluate residue, protocol binding flags), but you're right that a custom Chromium build sidesteps this entirely.

The honest answer: a sufficiently motivated attacker with a custom Chromium build can beat this. The goal is to make that cost high enough that it's cheaper to just solve the CAPTCHA legitimately or move to an easier target. Same tradeoff Cloudflare makes, but open source and privacy first.

Where I think the real gap is: server-side signals (IP reputation, TLS fingerprinting, rate patterns) and that's really what our paid bot detection is for. https://webdecoy.com
cport1
·há 6 meses·discuss
Browser-as-a-Service platforms like Browserbase, Hyperbrowser, and the growing ecosystem of LLM-powered browsers can spoof nearly every JavaScript API, rotate residential IPs, and generate convincing user agents. What they cannot easily fake is the TLS handshake.
cport1
·há 7 meses·discuss
Traditional bot detection doesn’t account for them. There’s no navigator.webdriver flag. No automation framework injecting globals. No suspicious HTTP headers. Just a browser, controlled by an AI that sees the screen exactly like you do. But vision agents have a fundamental weakness: they’re blind between screenshots. And that creates detection opportunities that behavioral analysis can exploit.
cport1
·há 7 meses·discuss
You can also checkout https://webdecoy.com if you want to catch them behaviorally and with honeypots.
cport1
·há 7 meses·discuss
Check out https://webdecoy.com if you want to start tracking which AI bots are hitting your site
cport1
·há 7 meses·discuss
That's a pretty hilarious idea, but in all serious you could use something like https://webdecoy.com/
cport1
·há 7 meses·discuss
I have been using https://webdecoy.com and integrating it with Cloudflare WAF.
cport1
·há 7 meses·discuss
might want to try something like https://webdecoy.com