Simon Willison's Weblog: captchas

Cloudflare CAPTCHA on at least one ampersand

2026-06-16T00:21:36+00:00

TIL: Cloudflare CAPTCHA on at least one ampersand

I'm using Cloudflare's CAPTCHA (they call it a "Web Application Firewall > Custom rules > Managed Challenge" these days) to prevent crawlers from aggresively spidering my faceted search engine on this site, but I got fed up of even simple ?q=term searches triggering the challenge.

After some mucking around with Claude Code it turns out you can register the following rule instead, so the CAPTCHA only kicks in for search URLs containing at least one ampersand:

(http.request.uri.path wildcard r"/search/*" and http.request.uri.query contains "&")

And now /search/?q=lemur works without triggering a CAPTCHA!

Also included: notes on trying out the Cloudflare MCP with Claude Code, though it turned out not to be able to edit the rules in question so I had Claude Code switch to the Cloudflare API instead.

Tags: captchas, cloudflare, model-context-protocol, claude-code

moot wins, Time Inc. loses

2009-04-29T11:13:40+00:00

moot wins, Time Inc. loses

The Time.com poll hack was more sophisticated than I first thought... Time implemented reCAPTCHA half way through the voting period, but the 4chan community fought back with a custom interface that crowdsourced the job of voting and let individuals submit up to 30 votes a minute.

Tags: 4chan, captchas, moot, onlinepolls, recaptcha, security, timedotcom, voting

OCR and Neural Nets in JavaScript

2009-01-25T00:00:28+00:00

OCR and Neural Nets in JavaScript

John dissects the brilliant Greasemonkey script that solves simple captchas using the canvas element and HTML5’s getImageData API.

Tags: canvas, captchas, getimagedata, greasemonkey, javascript, john-resig, ocr

Quoting Tim Anderson

2008-08-29T10:01:32+00:00

New authentication schemes such as OpenID, or Microsoft's CardSpace, may help as adoption increases. These systems make it possible to register for one site using credentials verified by another. Instead of having many sites with poor verification procedures, the internet could have a few sites with strong verification procedures, that are then used by others. The advantage for the user is that they no longer have to jump through multiple hoops for each new site they encounter.

— Tim Anderson, in the Guardian

Tags: captchas, cardspace, guardian, openid, security, tim-anderson

Integrating reCAPTCHA with Django

2008-03-19T09:41:37+00:00

Integrating reCAPTCHA with Django

Looks pretty straight forward.

Tags: captchas, django, python, recaptcha

The NHL's All-Star voting disaster

2007-01-19T09:50:17+00:00

The NHL's All-Star voting disaster

The NHL ran an online poll to decide which players are picked for their All-Star Game. The only authentication was a poorly implemented CAPTCHA. Unsurprisingly, it got gamed.

Tags: captchas, gaming, nhl, security, stupid

botbouncer.com

2006-12-19T18:01:50+00:00

botbouncer.com

Neat concept: a third party service for ensuring that an OpenID has passed a CAPTCHA.

Via JanRain Blog

Tags: captchas, janrain, openid

RSS CAPTCHA Prototype

2006-08-24T19:01:42+00:00

RSS CAPTCHA Prototype

Accessible captchas based on RSS feeds from friends’ sites.

Tags: captchas

Solving and creating captchas with free porn

2004-01-28T08:37:35+00:00

Solving and creating captchas with free porn

More spammer ingenuity

Tags: captchas, spammers