Documentation

Protection Settings

Configure protection levels, challenge thresholds, rate limits, IP lists, and geographic blocking for your CloShield domains.

1. Protection Levels

CloShield offers three preset protection levels that control when challenges activate based on traffic pressure. Choose the level that best fits your site's risk profile.

Easy

Minimal challenge overhead. Challenges only activate under significant traffic pressure. Good for low-risk sites or dev environments.

  • Cookie stage threshold: 150 req/s
  • JS challenge: 200 req/s
  • CAPTCHA: 300 req/s

Medium

Balanced for production. Moderate thresholds. Recommended for most sites.

  • Cookie: 80 req/s
  • JS: 120 req/s
  • CAPTCHA: 200 req/s

Hard

Aggressive for high-value targets. Lower thresholds. May cause friction for legitimate users during traffic spikes.

  • Cookie: 30 req/s
  • JS: 60 req/s
  • CAPTCHA: 100 req/s

2. Challenge System

CloShield uses a staged challenge system that escalates based on per-domain traffic pressure (requests per second), not per-IP.

  • Stage 0: Whitelisted — no challenge (used by firewall rules to bypass)
  • Stage 1: Cookie verification (transparent 302 redirect with signed cookie)
  • Stage 2: JavaScript challenge (checks performance.memory and navigator.plugins)
  • Stage 3: Image CAPTCHA (6-character text with warped canvas)
  • Stage 4+: Hard block (403 Forbidden)

Automatic escalation occurs when domain-wide RPS exceeds the configured bypassStage thresholds. De-escalation happens when RPS drops below disableBypassStage thresholds.

3. Rate Limiting

CloShield applies three independent rate limiters using sliding windows (default 120-second window, aggregated in 10-second buckets):

  • R1 — Challenge failure rate limit: Limits how many times an IP can fail a challenge (cookie/JS/CAPTCHA). Per protection level: Easy=30, Medium=15, Hard=5
  • R2 — Per-IP request rate limit: Total requests from a single IP in the sliding 2-minute window. Per protection level: Easy=300, Medium=150, Hard=60
  • R3 — Unknown fingerprint rate limit: Limits requests from IPs with TLS fingerprints not matching known browsers. Per protection level: Easy=100, Medium=50, Hard=20

IPs exceeding these limits receive a branded block page. Rate limits automatically scale with your domain's protection level (Easy/Medium/Hard).

Additionally, the auto-ban system tracks repeat violations: an IP hitting R1/R2/R3 multiple times gets a time-based ban (5 min → 30 min → 2 hours → 24 hours) stored in your dashboard. Admins can manually unban IPs or add them to the whitelist to bypass both bans and rate limits.

4. IP Whitelists and Blacklists

Control access at the IP level with whitelists and blacklists.

Whitelist

Whitelisted IPs are added as managed firewall rules that set suspicion level to 0 (bypass all challenges). Use for monitoring tools, CI/CD pipelines, or trusted partners.

Blacklist

Blacklisted IPs are added as managed firewall rules that set suspicion level to 4 (blocked with 403 response). Use for known bad actors or repeat offenders.

  • IPv4 addresses
  • Configurable via dashboard protection settings

5. Country and ASN Blocking

Block traffic by geographic region or autonomous system.

  • Country blocking: Block by ISO 3166-1 alpha-2 country code (e.g. CN, RU)
  • ASN blocking: Block by ASN number (e.g. AS13335)
  • Blocked requests get 403 response
Use with care — Country and ASN blocking may block legitimate users in those regions.