Active Hashcash

Hashcash is a proof-of-work algorithm invented by Adam Back in 1997 to protect systems against denial-of-service attacks. Active Hashcash is a Ruby gem that protects any Rails application against brute force attacks and bots.

The idea is to force clients to spend some time solving a complex problem that is very easy for the server to verify. We developed Active Hashcash after seeing brute-force attacks against our Rails application monitoring service.

Active Hashcash is ideal for sensitive forms such as login and registration. While the user fills out the form, the problem is solved in JavaScript, and the result is placed in a hidden text input. The form cannot be submitted while the proof of work has not been found. Then, the user submits the form, and the stamp is verified by the controller in a before-action.

It blocks bots that do not interpret JavaScript since they can not compute the proof-of-work. It also slows down more sophisticated bots and brute-force attacks. Moreover, the complexity increases automatically for IP addresses sending many requests, making it very CPU-costly for attackers.

Finally, legitimate users are not annoyed by being asked to solve a puzzle or clicking on all images containing a bus.

More on GitHub

Find installation and configuration instructions, report an issue, contribute, and more…

View on GitHub