Analysis updated 2026-05-18
Block AI scrapers and headless browsers from silently scraping a website.
Add invisible bot detection to a page without a CAPTCHA or user friction.
Protect API endpoints from automated abuse using continuous session attestation.
Deploy a self-hosted anti-bot layer behind an existing reverse proxy.
| thakares/chronoseal-rs | codeitlikemiley/antigravity-sdk-rust | dedsec-xu/needle | |
|---|---|---|---|
| Stars | 3 | 3 | 3 |
| Language | Rust | Rust | Rust |
| Setup difficulty | hard | hard | moderate |
| Complexity | 4/5 | 4/5 | 3/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires building a WASM module with wasm-pack plus a separate Rust server build, then wiring both into a page.
ChronoSeal is a Rust and WebAssembly framework designed to tell real human visitors apart from bots, headless browsers, and AI scrapers, without showing a CAPTCHA or adding any friction for legitimate users. Instead of a one time check, it keeps proving a browser session is genuine over and over for as long as the page stays open. When a page loads, the WASM module in the browser generates a cryptographic keypair using the Ed25519 signature scheme, and that private key never leaves the browser's WASM memory. The browser then sends its public key to the server, which starts a session and hands back a small random program made of simple stack machine instructions like push, add, subtract, and hash. Every twelve to twenty five seconds, with some random jitter, the browser runs that program, mixes in signals like recent mouse movement, computes a new hash that is chained to the previous one, signs the whole thing, and sends it back as a heartbeat. The server checks the signature, the hash chain, and the behavioral signals before accepting it. This approach protects against several common attacks. Tools like Playwright or Puppeteer that fake being a real browser can be caught because they typically produce no real mouse movement. Old captured heartbeats cannot be replayed because each one depends on the one before it. Because failed checks always get a normal looking success response back, an attacker watching network traffic cannot easily tell that they have been blocked. The project is honest that it is not unbeatable. It describes itself as a way to make scraping expensive and complicated rather than a wall no one can get past. It is written in Rust, split into a shared library, an Axum based server, a WASM client module, and a small vanilla JavaScript file that wires it into a page. Session data lives in an in-memory SQLite database that resets whenever the server restarts. It can run as a native binary under systemd or inside Docker, and is meant to sit behind a reverse proxy such as nginx.
A Rust and WebAssembly tool that continuously verifies a browser session is a real human, not a bot or AI scraper, using signed heartbeats instead of a CAPTCHA.
Mainly Rust. The stack also includes Rust, WebAssembly, Axum.
The README does not state a license, so terms of use are unclear.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.