Crovly

Security & Privacy

How Crovly protects privacy — zero cookies, no tracking, hashed fingerprints, IP binding, and full GDPR compliance by design.

Privacy by Design

  • No Cookies — Crovly doesn't set or read any cookies. Zero tracking across sites.
  • No PII Collection — Browser signals are hashed client-side. We only see a SHA-256 fingerprint hash, never raw data.
  • GDPR Compliant — No personal data processing. No consent banner required for Crovly.
  • No Third-Party Requests — Widget only communicates with your configured API endpoint. No Google, no Meta, no tracking pixels.

How Detection Works

Crovly uses a multi-layered scoring system that combines several independent signals to determine whether a visitor is human or a bot. Each signal is weighted and combined into a final score between 0.0 (bot) and 1.0 (human).

Proof of Work

The browser must solve a cryptographic puzzle (SHA-256) that requires real CPU time. This is trivial to verify server-side (single hash check) but expensive to fake at scale. Difficulty adapts automatically based on risk signals — legitimate users experience ~200ms delay, while suspicious traffic faces significantly harder puzzles.

Browser Fingerprint

Hardware and software signals from the browser are hashed into a single SHA-256 fingerprint. This detects headless browsers and automation tools that lack realistic hardware characteristics. No raw data leaves the browser — only the hash is sent.

Environment Analysis

The widget performs a series of checks to detect automation frameworks, headless browsers, and modified runtime environments. These checks evolve continuously to stay ahead of evasion techniques.

Behavioral Analysis

During the user's session, the widget collects lightweight interaction statistics — not raw events, just aggregated metrics. Real humans exhibit naturally inconsistent patterns, while bots tend to be unnaturally uniform. This layer is especially effective against sophisticated bots that pass other checks.

IP Reputation

Historical abuse data, datacenter detection, and proxy/VPN identification contribute to the risk assessment. Known bad actors face higher difficulty automatically.

Adaptive Difficulty

Crovly automatically adjusts puzzle difficulty based on the overall risk profile of each request. Clean traffic gets easy puzzles (barely noticeable), while suspicious traffic gets progressively harder challenges. Site owners can also configure difficulty preferences in the dashboard.

IP Binding

When you pass expectedIp in the verify-token call, Crovly ensures the token was solved from the same IP. This defeats human farms — even if a real human solves the captcha, the token can't be used from a different machine.

IP Allowlist / Blocklist

Pro plan users can configure per-site IP rules to immediately allow or block specific IPs or CIDR ranges. Blocked IPs are rejected without going through the full verification pipeline.

Why Not Image Captchas?

Image captchas (select all traffic lights, etc.) are easily solved by modern AI vision models with 90%+ accuracy. Proof of Work cannot be bypassed by AI — it requires actual computational effort regardless of intelligence.

Migration Guide

Step-by-step guide to switch from reCAPTCHA, Cloudflare Turnstile, or hCaptcha to Crovly. Frontend and backend examples included.

Self-Hosting

Deploy Crovly on your own servers with Docker. Full data sovereignty, zero external dependencies, enterprise-grade control.

On this page

Privacy by DesignHow Detection WorksProof of WorkBrowser FingerprintEnvironment AnalysisBehavioral AnalysisIP ReputationAdaptive DifficultyIP BindingIP Allowlist / BlocklistWhy Not Image Captchas?