Security & Privacy
How Crovly protects your users while stopping bots.
Privacy by Design
- No Cookies — Crovly doesn't set or read any cookies. Zero tracking across sites.
- No PII Collection — Browser signals are hashed client-side. We only see a SHA-256 fingerprint hash, never raw data.
- GDPR Compliant — No personal data processing. No consent banner required for Crovly.
- No Third-Party Requests — Widget only communicates with your configured API endpoint. No Google, no Meta, no tracking pixels.
How Detection Works
Crovly uses a multi-signal scoring system. When behavioral analysis data is available (v2 widget), weights are:
| Signal | Weight | Description |
|---|---|---|
| Proof of Work | 30% | SHA-256 puzzle solution |
| Browser Fingerprint | 20% | Hardware/software signals |
| Environment Detection | 20% | Headless browser checks |
| Behavioral Analysis | 15% | Mouse, keyboard, scroll, touch patterns |
| IP Reputation | 15% | Historical abuse data |
Without behavioral data (v1 widget), weights adjust to 35/25/25/15.
Proof of Work
The browser must compute SHA-256 hashes until it finds one with the required number of leading zero bits. This is trivial to verify (single hash check) but expensive to fake. Difficulty scales with IP reputation.
Browser Fingerprint
Canvas hash, WebGL renderer, audio context, screen properties — all hashed together into a single SHA-256. Detects headless browsers that lack real hardware fingerprints.
Environment Detection
Checks for automation flags:
navigator.webdriver === true- Chrome DevTools Protocol leaks
- Plugin/mime type anomalies
- WebGL "SwiftShader" / "Mesa" renderer
- Permissions API timing behavior
Behavioral Analysis
The widget collects interaction statistics (not raw events) during the user's session:
- Mouse movement count, distance, direction changes, speed variance
- Keyboard dwell time variance
- Scroll event count and direction changes
- Touch event count
- Total elapsed time
Bots exhibit unnaturally consistent patterns — constant mouse speed (low variance), perfectly straight movements, uniform keystroke timing. Real humans are naturally inconsistent.
IP Reputation
Datacenter IPs, known proxy/VPN ranges, and historical abuse patterns contribute to the IP reputation score.
IP Allowlist / Blocklist
Pro plan users can configure per-site IP rules to immediately allow or block specific IPs or CIDR ranges. Blocked IPs receive score 0 without going through the full verification pipeline. When allowlist rules exist, only listed IPs can pass verification.
Why Not Image Captchas?
Image captchas (select all traffic lights, etc.) are easily solved by AI vision models. GPT-4V, Claude, and dedicated captcha-solving APIs can solve them in seconds with 90%+ accuracy.
Proof of Work cannot be bypassed by AI — it requires actual computational effort regardless of intelligence.
IP Binding
When you pass expectedIp in the verify-token call, Crovly ensures the token was solved from the same IP. This defeats human farms — even if a real human solves the captcha, the token can't be used from a different machine.