So I kind of set up another level of security well not really more of a gate to help block more bots and scrapers that seem to bypass robots.txt and whatever enhancements and blocks you have in your .htaccess file, these currently are working on my #friendica instance fairly well so maybe they can help someone maybe they do nothing;
First at the very top of your index.php in the root of your friendica directory right after the <? I added the following code,
then I created in the root directory again, gate.php
in both places change Your_Alien_Secret for your actual matching secret, and maybe it will help kill some bot and scrapers from hitting your instance so hard;
⚖️ License (MIT)
Copyright (c) 2026 pasjrwoctx👽 (Philip A. Swiderski Jr.)
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE
@Friendica Support @Friendica Developers @Friendica Admins
You can encourage my continued useless ideas, and by doing so your helping to feed, house and clothe a #disabled man living in #poverty, $5-10-15 It All Helps, via #cashapp at $woctxphotog or via #paypal at https://www.paypal.com/donate?campaign_id=5BN5MB5BVQL22
First at the very top of your index.php in the root of your friendica directory right after the <? I added the following code,
// --- ALIEN GATE START ---
$request = $_SERVER['REQUEST_URI'] ?? '';
// 0. Signed cookie (prevents bots forging it)
$secret_key = 'Your_Alien_Secret';
$valid_cookie = hash_hmac('sha256', 'verified', $secret_key);
$has_cookie = isset($_COOKIE['instance_access']) &&
hash_equals($valid_cookie, $_COOKIE['instance_access']);
if (!$has_cookie) {
// 1. Federation / machine endpoints (never gate)
$is_fediverse =
str_contains($request, '/.well-known/') ||
str_contains($request, '/activitypub/') ||
str_contains($request, '/api/') ||
str_contains($request, '/assets/');
// 2. Static assets (never gate)
$is_static = preg_match('/\.(css|js|png|jpg|ico|svg|woff2)$/i', $request);
// 3. Only gate the root URL
if ($request === '/' && !$is_fediverse && !$is_static) {
require 'gate.php';
exit;
}
// 4. Prevent bypass via /index.php
if ($request === '/index.php') {
header('Location: /');
exit;
}
}
// --- ALIEN GATE END ---then I created in the root directory again, gate.php
<?php
// 1. VERIFICATION LOGIC
if (isset($_GET['nonce']) && isset($_GET['seed'])) {
$nonce = (int)$_GET['nonce'];
$seed = $_GET['seed'];
$check_hash = hash('sha256', $seed . $nonce);
// Verify hash matches the "000" requirement
if (str_starts_with($check_hash, '000')) {
$secret = 'Your_Alien_Secret';
$token = hash_hmac('sha256', 'verified', $secret);
setcookie("instance_access", $token, time() + 86400 * 30, "/");
header("Location: /index.php");
exit;
}
}
// 2. CHALLENGE UI
$seed = bin2hex(random_bytes(16));
?>
<html>
<head>
<title>Access Verification</title>
<link href="https://fonts.googleapis.com/css2?family=Atkinson+Hyperlegible+Mono&display=swap" rel="stylesheet">
<style>
body {
display: flex;
flex-direction: column;
justify-content: center;
align-items: center;
height: 100vh;
margin: 0;
font-family: 'Atkinson Hyperlegible Mono', monospace;
background-color: #f4f4f9;
color: #333;
}
.container {
text-align: center;
padding: 2rem;
background: white;
border-radius: 8px;
box-shadow: 0 4px 6px rgba(0,0,0,0.1);
}
</style>
</head>
<body>
<div class="container">
<h2>Your Instance Name</h2>
<h3>Verification Required</h3>
<p id="status">Your Computer Is Solving A Security Challenge To Prove You Are A Human...</p>
<p>Your Computer Is Solving A Security Challenge To Prove You Are A Human...</p>
<p>Your Privacy Matters, No Data Is Recorded...</p>
</div>
<script>
const seed = "<?php echo $seed; ?>";
let nonce = 0;
async function sha256(message) {
const msgUint8 = new TextEncoder().encode(message);
const hashBuffer = await crypto.subtle.digest('SHA-256', msgUint8);
return Array.from(new Uint8Array(hashBuffer)).map(b => b.toString(16).padStart(2, '0')).join('');
}
async function solve() {
const startTime = Date.now();
while (true) {
let hash = await sha256(seed + nonce);
if (hash.startsWith("000")) {
const elapsed = Date.now() - startTime;
const remaining = 2000 - elapsed;
if (remaining > 0) {
document.getElementById('status').innerText = "Verifying human interaction...";
await new Promise(r => setTimeout(r, remaining));
}
window.location.href = `?nonce=${nonce}&seed=${seed}`;
break;
}
nonce++;
}
}
solve();
</script>
</body>
</html>in both places change Your_Alien_Secret for your actual matching secret, and maybe it will help kill some bot and scrapers from hitting your instance so hard;
⚖️ License (MIT)
Copyright (c) 2026 pasjrwoctx👽 (Philip A. Swiderski Jr.)
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE
@Friendica Support @Friendica Developers @Friendica Admins
You can encourage my continued useless ideas, and by doing so your helping to feed, house and clothe a #disabled man living in #poverty, $5-10-15 It All Helps, via #cashapp at $woctxphotog or via #paypal at https://www.paypal.com/donate?campaign_id=5BN5MB5BVQL22
Carlos Solís
•pasjrwoctx👽
•Melanie Wehowski
•pasjrwoctx👽
•Melanie Wehowski
•$is_fediverse =
str_contains($request, '/.well-known/') ||
str_contains($request, '/activitypub/') ||
str_contains($request, '/api/') ||
str_contains($request, '/assets/') ||
str_contains($request, '/inbox');
You could also check for Request-Type headers.
A cookie can be faked, you should consider to store the OK in the session instead?
pasjrwoctx👽
•pasjrwoctx👽
•Melanie Wehowski
•if ($request === '/' makes it clear, sorry!
$is_fediverse and is_static is not necessary then?
Melanie Wehowski
•The sessionID is in the cookie yes, but the info can be in the session. If a bad bot starts a new session, well it will not have the "OK" in the session.
Accept headers can be faked but that would make less sense as it breaks content negotiation, and you can use it as ONE aspect of other bot indicators.
For server to server protocol an instance will act like a "legitim bot", it will not pass a captcha or session check, validation of the request is done via signatures.
pasjrwoctx👽
•Tealk
•