01
New IP, same bot
A JA4 fingerprint is a "fingerprint" of the client, extracted from
the TLS handshake. It's tied to the attack tool (curl / python /
chromium-bot) — not to IP, country, VPN, or User-Agent, no matter
how much they rotate.
unmask can ban by JA4, not just by IP. A botnet
swapping IPs is stopped by a single verdict.
02
Native nginx speed
Already-passed clients (cookie holders on return visits) are verified
inside the nginx worker itself — one in-process check, no subrequest,
no extra hop. Effectively the throughput of plain nginx,
so it can sit in front of a high-traffic site as-is.
03
SEO-safe
Googlebot / Bingbot / GPTBot / ClaudeBot and other major search /
AI crawlers are never blocked by default. Bypass on
UA match OR official IP range match — whichever
succeeds first (zero false-block on legit bots is the priority).
250+ patterns embedded.
04
Fail open
If unmask stops, nginx keeps serving. Already-passed clients
stay on the cookie fast path — and visitors who haven't passed
yet skip PoW / CAPTCHA entirely and still get the page they asked
for (the site behaves as if unmask wasn't installed).
"Defense degrades, the site stays up" by default —
no more entire-site outages from a bot-mitigation glitch.
05
Sane web admin
One config file plus a web UI for everything. Dashboard shows
30-day charts / cookie pass rate / country / funnel. The hunt
screen turns recent events into one-click BAN / verdict entries.
No more 3 AM conf hand-edits.
06
Self-hosted, your data stays put
Everything runs on your boxes. Challenge verdicts / cookies / IPs /
JA4s / event logs all stay inside your perimeter — no user
behavior leaks to a third-party SaaS. No vendor lock-in.
GDPR-friendly out of the box.