unmask

unmask

Self-hosted bot defense for nginx and Apache.

Bye 24/7. — Reclaim sysadmin QOL from bot alerts.

open source self-hosted Go single binary

what it does

core features

01

New IP, same bot

A JA4 fingerprint is a "fingerprint" of the client, extracted from the TLS handshake. It's tied to the attack tool (curl / python / chromium-bot) — not to IP, country, VPN, or User-Agent, no matter how much they rotate.
unmask can ban by JA4, not just by IP. A botnet swapping IPs is stopped by a single verdict.

Defeats UA spoofing / IP rotation / botnet scale-out

02

Native nginx speed

Already-passed clients (cookie holders on return visits) are verified inside the nginx worker itself — one in-process check, no subrequest, no extra hop. Effectively the throughput of plain nginx, so it can sit in front of a high-traffic site as-is.

Forward-auth mode covers Apache too

03

SEO-safe

Googlebot / Bingbot / GPTBot / ClaudeBot and other major search / AI crawlers are never blocked by default. Bypass on UA match OR official IP range match — whichever succeeds first (zero false-block on legit bots is the priority). 250+ patterns embedded.

Search-rank safety is the design priority · 1-click edit from the web UI

04

Fail open

If unmask stops, nginx keeps serving. Already-passed clients stay on the cookie fast path — and visitors who haven't passed yet skip PoW / CAPTCHA entirely and still get the page they asked for (the site behaves as if unmask wasn't installed). "Defense degrades, the site stays up" by default — no more entire-site outages from a bot-mitigation glitch.

Fail-open by default in both modes

05

Sane web admin

One config file plus a web UI for everything. Dashboard shows 30-day charts / cookie pass rate / country / funnel. The hunt screen turns recent events into one-click BAN / verdict entries. No more 3 AM conf hand-edits.

06

Self-hosted, your data stays put

Everything runs on your boxes. Challenge verdicts / cookies / IPs / JA4s / event logs all stay inside your perimeter — no user behavior leaks to a third-party SaaS. No vendor lock-in. GDPR-friendly out of the box.

Zero external API calls · No third-party "data processor agreement" to draft

who and what it protects

use cases

01

Don't route all traffic through a SaaS just for bot defense

Mainstream bot defense is SaaS-shaped: every request runs through the vendor's plane, bringing privacy, cost, and the blast radius of vendor outages along with it. unmask drops a minimal config into your existing httpd — nothing sits in front, no vhost / SSL / log changes, zero external API calls.

For orgs that need data sovereignty / privacy / an OSS-only line (regulated, public sector, self-hosted ops). Install or uninstall in a few config lines.

02

Vulnerability scanners & automated attacks

Most scanners and exploit bots that rake over wp-login.php, .env, xmlrpc.php, and known-CVE paths are non-browser clients that don't run JS. unmask meets them at the edge with JA4-led, multi-layer detection plus PoW / CAPTCHA, turning the automated probing away up front.
Even as AI makes finding flaws and launching attacks cheaper and faster, keeping a cost on automated, high-volume access cuts the brute-force / scan / login attempts that ever reach your app — lowering breach and data-leak risk.

Mechanical path scans and brute-force, blocked per-fingerprint at the edge · one layer of defense-in-depth

03

Dine-and-dash bot defense

Dine-and-dash bots make off with prices, inventory, listings, and articles while feasting on your CPU, bandwidth, and DB. unmask surfaces per-fingerprint traffic in the hunt UI, then 1-click bans the repeat offender. Decisions live on the fingerprint, not the IP — rotation doesn't undo the verdict.

Stops data leakage and server load in one verdict. For sites with public-data assets (e-commerce / job boards / real-estate / media / public DBs / public APIs)