Browser Signal Hardening & CAPTCHA Trust Improvements​

Improved browser coherence checks​

• WebDriver and automation artefact detection
• User-Agent and Client Hints consistency checks
• Platform, screen, touch, and hardware profile consistency checks
• Language, timezone, and country plausibility checks
• Resource loading and rendering profile checks
• Cookie capability consistency checks

Safer scoring behaviour​

Improved metadata handling​

Fixed CAPTCHA trust-window behaviour​

Improved logging and observability​

No admin action required​

Redirect, Collector Hardening & Verification Flow Improvements​

Fixed post-CAPTCHA return behaviour​

Improved trusted crawler handling​

Collector proof and replay hardening​

Suspicion-triggered browser re-collection​

• User-Agent family changes
• Country changes
• ASN changes where available
• Stale collector metadata
• Suspicious route families
• Collector metadata missing despite an existing visitor fingerprint
• Fingerprint/session relationship inconsistencies

Conservative route-family scoring​

• Search pages
• Find-new / what’s-new style pages
• Member list and profile enumeration
• Deep pagination
• Repeated listing or index traversal

Safer hash-secret behaviour​

Explicit cookie attributes​

Improved Current visitors activity​

Improved logging and observability​

• CAPTCHA return URL restored or safely discarded
• Known crawler decision-layer allow overrides
• Collector proof validation failures
• Browser re-collection requests
• Route-family risk modifiers
• Hash secret / global salt configuration issues

Internal sanity and health-check tooling​

No admin action required​

XF Bot Guard 1.0.6 — First Stable Release & Production Hardening​

• Reducing event log noise
• Separating operational counters from audit logs
• Improving hot-path performance
• Adding clearer admin health/status visibility
• Improving cleanup and retention behaviour
• Keeping defaults conservative for stable production use

First stable release​

Operational counters are now separate from audit logs​

Reduced event log pressure​

• Challenge required events
• CAPTCHA pass/fail events
• CAPTCHA rate limiting
• Known crawler allow decisions
• Collector failure events
• Collector nonce/proof failures
• Hash secret or collector hash configuration problems
• Browser re-collection requests
• Error-route activity

Optional allow-event sampling​

Hot-path performance hardening​

Counter cleanup and retention​

New ACP health/status page​

• Bot Guard enabled/disabled state
• JavaScript collector status
• XenForo CAPTCHA configuration
• PAGE_CONTAINER template modification status
• Bundled Bot Guard JavaScript asset presence
• Bundled FingerprintJS asset presence
• Audit logging status
• Low-value audit logging status
• Allow-event sample rate
• Event, visitor, and session retention settings
• Known crawler trust status
• Known crawler origin-lockdown acknowledgement
• Approximate event table size
• Approximate counter table size
• Hash secret / XenForo global salt availability

Known crawler origin-lockdown warning​

Decision timing metadata​

Stable defaults review​

• Bot Guard remains disabled by default
• Guest-only protection remains the default scope
• Challenge methods remain conservative
• Known crawler trust remains disabled by default
• Hard deny remains disabled by default
• AJAX exclusion remains enabled by default
• Strict no-browser/no-grace behaviour remains enabled
• Bootstrap allow behaviour remains enabled
• Important audit logging remains enabled
• Low-value allow-row logging is disabled by default

Database schema change​

Recommended admin review after upgrade​

Summary​

• Improved handling of the interstitial browser-validation collect request so it is processed earlier in the XenForo request lifecycle.
• Added a small client-side breathing-space delay before the interstitial collect request is sent.
• Added automatic back-off and retry handling if the interstitial collect request temporarily fails.
• Added a fallback path: if the interstitial collect still cannot complete after retries, the visitor is redirected to the full XF Bot Guard challenge page instead of being left stuck on the validating screen.
• Ensured XF Bot Guard’s own challenge route is never served through the lightweight interstitial flow.
• Added clearer AJAX/JSON request handling for the collector request.

/js/zee/botguard/botguard.js

• Loads Bot Guard’s main JavaScript directly instead of through XenForo’s normal JS include/combiner path.
• Adds version-based cache busting to Bot Guard’s JavaScript and bundled fingerprinting script.
• Helps Cloudflare, CDN, browser, and JavaScript-combiner caches pick up the latest Bot Guard files more reliably after an update.
• Keeps the script base path unversioned internally so dynamically loaded assets continue resolving correctly.

• Added reverse-DNS hosting and datacentre detection for public IP addresses.
• Added a new hosting/datacentre reverse-DNS score option, enabled by default.
• Added a new reverse-DNS cache table so confirmed hosting/datacentre results can be reused without repeated DNS lookups.
• Added support for detecting many common hosting, cloud, VPS, proxy, and datacentre networks by confirmed reverse-DNS patterns.
• Improved handling of visitors coming from confirmed hosting/datacentre networks so they can be scored more accurately before the final allow/challenge decision is made.
• Added new Health Check entries for reverse-DNS hosting detection, including cache status, confirmed matches, resolver errors, and stale pending lookups.
• Improved compatibility with the Known Bots add-on when XF Bot Guard is managing online visitor and challenge statistics.
• When XF Bot Guard’s online-count adjustment is enabled, XF Bot Guard now suppresses overlapping public robot statistics from Known Bots so visitor counts are not double-handled or misrepresented.
• Added ongoing compatibility enforcement for Known Bots during install, upgrade, online-count calculation, and scheduled cleanup.
• Added compatibility detection for DigitalPoint Cloudflare guest page caching.
• Added a new option to disable incompatible DigitalPoint Cloudflare guest page caching when XF Bot Guard is active.
• Added a Health Check warning when DigitalPoint Cloudflare guest page caching is enabled in a way that may bypass XF Bot Guard validation.
• Added a Health Check action button to disable the incompatible DigitalPoint Cloudflare guest page cache configuration directly from the XF Bot Guard health page.
• Added public HTML cache-header hardening when DigitalPoint Cloudflare compatibility protection is enabled.
• Improved Members Online template modification compatibility.

• Added a new protected-response cache shield for XF Bot Guard routes, challenge pages, browser-validation pages, collection endpoints, redirects, and protected public HTML responses.
• Expanded cache-header hardening beyond the previous DigitalPoint Cloudflare-specific compatibility handling.
• XF Bot Guard now sends stronger no-store/no-cache headers for protected responses, including headers intended for browsers, proxies, CDNs, LiteSpeed, NGINX, Cloudflare, surrogate caches, and other shared cache layers.
• Added a new Health Check probe that can test whether protected pages or XF Bot Guard routes appear to be served from a shared or full-page cache.
• Added Health Check reporting for common cache indicators such as Cloudflare, LiteSpeed, Varnish, proxy cache, FastCGI cache, NGINX cache, CDN cache, and other shared-cache headers.
• Added a Health Check action to refresh the shared full-page cache probe.
• Added clearer Health Check warnings when a server, CDN, proxy, or optimisation layer may be caching protected HTML in a way that can bypass XF Bot Guard.
• Added reverse-DNS and forward-DNS verification for additional legitimate crawlers that are not always covered by official published IP range data.
• Added verified crawler support for Yandex, Qwant, Seznam, and Applebot-style reverse-DNS verification.
• Added a new trusted crawler reverse-DNS domains option, allowing site owners to trust additional crawler domains when reverse DNS and forward DNS both confirm the request IP.
• Improved verified crawler logging so XF Bot Guard records whether a crawler was trusted by official IP range data or by confirmed reverse-DNS verification.
• Improved robot/activity classification so reverse-DNS verified crawlers can be represented more accurately in XenForo's online activity systems.
• Added dynamic robot definitions for custom trusted reverse-DNS crawler domains.
• Improved RSS, Atom, and feed request handling so feed clients are not redirected to interactive browser validation or CAPTCHA pages.
• Feed requests can now be allowed, scored, or quietly denied depending on trust status and risk, rather than being handled like normal browser page views.
• Added empty 403 responses for denied non-interactive feed requests.
• Added browser-validation page customisation options for the page title, heading, and message.
• Added safe text handling for browser-validation page customisation, including escaping, length limits, and line-break support for the message.
• Added an option to retain browser-validation allow logs without needing to enable all low-value event logging.
• Added self-server IP detection so XF Bot Guard can recognise its own server-side health-check and XenForo unfurl requests and avoid treating them like normal visitors.
• Added storage and cleanup for self-server IP detection data.
• Added storage and cleanup for reverse-DNS crawler verification results.
• Improved protection policy handling by centralising route, scope, static asset, AJAX, excluded IP, protected-area, and cache-shield decisions.
• Improved handling of failed browser-validation interstitial generation by falling back to the normal challenge flow instead of leaving the request in an unclear state.
• Improved online visitor handling by suppressing anonymous HEAD request activity updates when XF Bot Guard's online-count adjustment is enabled.
• Added an admin navigation entry for XF Bot Guard logs under the XenForo logs area.
• Added install and upgrade repair logic to ensure the XF Bot Guard admin navigation entry is present.
• Improved option parsing for textbox-style lists by allowing blank lines and comments.
• Updated Health Check wording and option explanations to better describe cache protection and verified crawler handling.

• Added optional Cloudflare Edge Enforcement, allowing XF Bot Guard to escalate repeat high-confidence abusive IPs to Cloudflare.
• Added automatic Cloudflare IP list and WAF rule management, so repeat offenders can receive a Cloudflare Managed Challenge before reaching XenForo.
• Added local edge-candidate tracking so XF Bot Guard can identify, score, expire, and sync abusive IPs safely.
• Added dry-run mode, enabled by default, so site owners can review what would be synced before XF Bot Guard writes anything to Cloudflare.
• Added safety protections to avoid promoting staff, logged-in users, verified crawlers, excluded IPs, private/internal IPs, and manually protected IPs.
• Added Cloudflare setup, connection testing, health checks, manual sync, sync logs, candidate review, repair, and disable tools in the Admin Control Panel.
• Added encrypted storage for the Cloudflare API token.
• Added a manual never-export list for IPs that should not be synced to Cloudflare.
• Updated FingerprintJS from 5.1.0 to 5.2.0.

Bot or abusive client
-> Cloudflare
-> XenForo / PHP / database
-> XF Bot Guard detects, challenges, denies, or logs

Bot or abusive client
-> Cloudflare Managed Challenge
-> usually never reaches XenForo

• staff members;
• logged-in users;
• verified crawlers;
• private, reserved, or internal IP ranges;
• IPs excluded from XF Bot Guard handling;
• IPs added to the never-export list.

(ip.src in $xf_bot_guard_edge_ips and not cf.client.bot)

managed_challenge

1. Upgrade XF Bot Guard to 1.2.0.
2. Review your privacy policy before enabling raw IP storage.
3. In the Admin Control Panel, go to Add-ons.
4. Open XF Bot Guard -> Cloudflare Edge Enforcement.
5. Open Setup using the top-right button.
6. Enable raw IP storage.
7. Enable Cloudflare Edge Enforcement.
8. Leave Dry-run mode enabled for now.
9. In a new browser tab, log in to Cloudflare.
10. Copy your Cloudflare Account ID and Cloudflare Zone ID into the XF Bot Guard setup page. Cloudflare documentation: Find account and zone IDs
11. Back in the XF Bot Guard setup page, click Create Cloudflare API token.
12. Create the Cloudflare API token using the pre-filled permissions.
13. Copy the Cloudflare API token into the XF Bot Guard setup page.
14. Press Save.
15. After saving, scroll down and click Set up Cloudflare automatically.
16. Return to the Cloudflare Edge Enforcement overview.
17. Click Sync now.
18. Review the health checks.
19. Periodically open Candidates to review what XF Bot Guard would sync while dry-run mode is still enabled.
20. Once you are happy with what Cloudflare Edge Enforcement would have enforced, go back to Setup and disable dry-run mode.
21. Run Sync now again, or allow the cron to perform the next sync automatically.

• Improves the layout and styling of XF Bot Guard ACP pages.
• Adds cleaner spacing, padding, button alignment, and table handling across the admin interface.
• Improves wide data tables so long values, dates, paths, JSON, hashes, and error messages are better contained.
• Improves filter panels so fields are easier to read and take up less unnecessary vertical space.
• Improves event detail and Edge candidate detail pages with cleaner code block and metadata presentation.
• Improves health check/status display readability.
• Adds a small optional support/development contribution prompt in the relevant XF Bot Guard admin pages.
• Does not change public-facing challenge behaviour or bot detection logic.

• what protected traffic Bot Guard saw;
• what was handled before CAPTCHA;
• what reached the CAPTCHA;
• what passed, failed, or never completed the challenge;
• why sessions were considered suspicious;
• which routes are under pressure;
• what crawlers and edge systems are doing;
• whether the underlying telemetry and cleanup systems look healthy.

• Added a new single-page visual Dashboard for XF Bot Guard.
• Added dashboard charts using locally bundled Apache ECharts.
• Added a clear overview section showing protected activity, challenged sessions, no CAPTCHA result sessions, CAPTCHA passes, current trusted sessions, crawler activity, and edge candidate/block counts.
• Added a traffic journey funnel showing the path from protected request through browser proof, risk checks, CAPTCHA challenge, CAPTCHA outcome, temporary trust, and rechallenge behaviour.
• Added challenge outcome reporting, including pass-only, fail-only, fail-then-pass, pending challenge, and no CAPTCHA result sessions.
• Added counter-based pressure trend charts for challenge/pass/fail activity.
• Added interstitial and browser validation reporting so site owners can see what is being handled before CAPTCHA.
• Added risk signal reporting, including top reason codes and risk score distribution.
• Added route pressure reporting to show which areas of the forum are attracting the most suspicious challenge activity.
• Added CAPTCHA trust-window reporting, including current trusted sessions and rechallenge behaviour after trust expiry.
• Added crawler health visibility, including known and verified crawler activity.
• Added Cloudflare Edge Enforcement visibility to the dashboard where the edge feature is available.
• Added system health and telemetry availability reporting.
• Added raw drill-down links from the dashboard back into the existing event log.
• Added configurable counter retention via the new Counter retention hours option.
• Changed counter cleanup so it now respects the configured counter retention option instead of always pruning after 48 hours.
• Improved handling of malformed requests with no User-Agent header so collector-token unavailability is handled cleanly without noisy server error logging.
• Improved dashboard table scrolling, chart spacing, chart expansion, and admin-page usability.

• how much protected traffic is being seen;
• how much suspicious traffic is reaching challenge logic;
• how much is failing or disappearing before completing CAPTCHA;
• which requests are likely automated, abandoned, or incompatible;
• which routes are attracting suspicious activity;
• which risk signals are causing challenges;
• whether crawlers and Cloudflare Edge Enforcement are behaving as expected;
• whether your telemetry is complete enough for each report.

• No CAPTCHA result
• Pending challenge
• Temporary trust window
• Maximum possible false-positive ceiling
• CAPTCHA pass is not a human verdict

• Normal upgrade: preserves existing Bot Guard history, events, counters, sessions, visitors, and telemetry, but may take longer on large forums.
• Clean install: write down your Bot Guard configuration, uninstall/delete Bot Guard, install 1.2.3 fresh, then re-enter your configuration. This avoids migrating old Bot Guard telemetry, but historical Bot Guard data will be lost.

720 hours
= 30 days

shorter raw data retention
+ longer dashboard snapshot retention
= useful long-term visibility without unnecessary raw database growth

• the dashboard now has its own long-term snapshot data;
• raw event/session/visitor/counter data can be retained for a shorter period;
• longer-term dashboard reporting can still remain available;
• cleanup now works in safer batches;
• several internal hash fields are migrated to more compact binary storage;
• large forums get a more sustainable path forward, but should choose their upgrade path carefully.