I built Anubis-inspired PoW bot protection for static sites — no server needed

Leaf_0223 — Sat, 07 Mar 2026 15:55:10 +0000

Anubis is great. If you haven't heard of it, it's a Proof-of-Work bot protection tool that forces every client — including headless browsers — to solve a CPU challenge before accessing your site. It's been blowing up lately, with major projects like GNOME and FFmpeg adopting it to fight AI scrapers.

There's just one problem: Anubis requires a reverse proxy. That means if your site is on Cloudflare Pages, Netlify, Vercel, or GitHub Pages, you simply can't use it.

I ran into this exact problem with my own blog. I wanted PoW protection, but I'm on Cloudflare Pages — no server, no reverse proxy, nothing. So I built Albireo.

How it works

Instead of a reverse proxy, Albireo runs entirely on edge functions:

Cloudflare Pages → Pages Functions (_middleware.ts)
Netlify → Netlify Edge Functions
Vercel → Next.js Middleware (middleware.ts)

When a request comes in, the edge function intercepts it and checks for a valid PoW token in the cookie. If there's no valid token, it serves a challenge page. The client solves the challenge using Web Workers (multi-threaded, so it's faster for real users), then gets a signed HMAC token and is redirected to the original page.

The whole thing is serverless — no database, no backend, no infrastructure to maintain.

What it protects against

To be honest about the limitations (as the README says): Albireo is designed to deter the vast majority of automated crawlers, especially bots scraping static content. It is not intended to defeat highly resourced or targeted scraping operations.

What it does stop well:

JS-less bots (they can't solve the challenge at all)
Headless browsers running at scale (PoW makes mass scraping expensive)
Basic scrapers that don't handle cookies

SEO bots (Google, Bing, etc.) are whitelisted by default, so your search rankings won't be affected.

Comparison

	Albireo	Anubis	Cloudflare Free	Cloudflare Pro+
Cost	Free	Free	Free	$20–200+/mo
Requires server	❌	✅	❌	❌
Works on Netlify	✅	❌	❌	❌
Works on Vercel	✅	❌	❌	❌
Proof-of-Work	✅	✅	❌	✅
Slows headless browsers	✅	✅	❌	✅
Open source	✅	✅	❌	❌

Cloudflare's free Bot Fight Mode relies on User-Agent and IP heuristics — easy to bypass. Albireo forces real computation regardless of how sophisticated the bot is.

Setup (Cloudflare Pages — 3 steps)

Copy the functions folder to your project root
Change SECRET_KEY in _middleware.ts to a random string
Push and deploy

That's it. If you don't have mascot images, it automatically falls back to emoji indicators (😐 / 😊 / ❌), so it works out of the box with zero assets.

Netlify and Vercel setups are equally simple — check the README for details.

Live demo

My blog is running Albireo right now: leaftechblog.cloudns.biz

First visit will show you the challenge page. Subsequent visits within the TTL window skip the challenge automatically.

GitHub: github.com/51511/Albireo