ASTRA · SHIELD · v3.0.1
CAPTCHAs are
broken.
Every puzzle you force on a user is an apology for your security. We built what comes after — a five-tier protection system that is completely invisible to 95% of your traffic.
Behavioral scoring, cryptographic proof-of-work, and an adaptive model that learns your traffic. No puzzles. No friction. No apology.
- Detection signals
- 14
- Challenge types
- 11
- Attack vectors
- 20+
Five tiers.
One SDK.
The OOS (Out-of-Suspicion) score determines how much friction — if any — a visitor encounters.
14 signals.
0 cookies.
- Fingerprinting
- Canvas noise variance · WebGL GPU vendor + renderer · AudioContext hash · Font metrics · Navigator + hardware profile
- Behavioral
- Mouse velocity + entropy · Keyboard rhythm · Touch gesture patterns · Scroll deceleration · Signal-silence detection
- Infrastructure
- Headless browser probes · Automation framework detection · Datacenter / proxy IP · JA3 / JA4 TLS fingerprint · Header consistency scoring
- Threat detection
- Magecart / form skimmers · Keylogger + native-API tamper · Script injection & exfil · WebSocket C2 / beaconing · WASM cryptomining
New in v3
Trust the proof,
not the promise.
Passes you can verify
A challenge pass returns an HMAC-signed, proof-of-work attestation. Your backend verifies it — a faked client-side { passed: true } carries no valid signature.
Learns your traffic
A per-app anomaly model (Welford online stats) learns what normal looks like for your users. No global threshold. No retraining pipeline. Cold-start safe.
Every app defends the next
High-confidence blocks contribute anonymized subnet + JA4 signals to a shared blocklist. A bot caught on one Astra app is blocked across all of them.
SQLi, XSS, NoSQLi — decoded
Client + server input scanning that decodes URL and HTML-entity payloads before matching, closing the %3Cscript%3E bypass most filters miss.
Up in
five minutes.
Works with React, Vue, Angular, and vanilla JavaScript. Node.js ≥ 18 required server-side.
Published to npm as astra-shield. Apache-2.0 with Commons Clause.
# Option A — curl installer (macOS / Linux)
curl -fsSL https://astrasec.xyz/install.sh | sh
# Option B — npm global install
npm install -g astra-shield
# Add shield to your project
astra add
# Verify setup
astra doctor
# ESM import
import { ASTRAShield } from 'astra-shield';
const shield = new ASTRAShield({
endpoint: '/api/verify',
tier: { ghost: true }
});
shield.init();