ASTRA · SHIELD · v3.0.1

CAPTCHAs are
broken.

Every puzzle you force on a user is an apology for your security. We built what comes after — a five-tier protection system that is completely invisible to 95% of your traffic.

Behavioral scoring, cryptographic proof-of-work, and an adaptive model that learns your traffic. No puzzles. No friction. No apology.

Detection signals
14
Challenge types
11
Attack vectors
20+

Five tiers.
One SDK.

The OOS (Out-of-Suspicion) score determines how much friction — if any — a visitor encounters.

T0 Ghost OOS 0.0 – 1.5
Invisible. Passive behavioral analysis only. ~95% of traffic.
T1 Whisper OOS 1.5 – 2.0
100 – 200ms micro-delay. Imperceptible to humans.
T2 Nudge OOS 2.0 – 2.5
2 – 5 second gesture challenge. Quick, native.
T3 Pause OOS 2.5 – 3.0
10-second multi-step verification.
T4 Gate OOS 3.0+
Manual review. Suspected bots only.

14 signals.
0 cookies.

Fingerprinting
Canvas noise variance · WebGL GPU vendor + renderer · AudioContext hash · Font metrics · Navigator + hardware profile
Behavioral
Mouse velocity + entropy · Keyboard rhythm · Touch gesture patterns · Scroll deceleration · Signal-silence detection
Infrastructure
Headless browser probes · Automation framework detection · Datacenter / proxy IP · JA3 / JA4 TLS fingerprint · Header consistency scoring
Threat detection
Magecart / form skimmers · Keylogger + native-API tamper · Script injection & exfil · WebSocket C2 / beaconing · WASM cryptomining

New in v3

Trust the proof,
not the promise.

PoW Attestation

Passes you can verify

A challenge pass returns an HMAC-signed, proof-of-work attestation. Your backend verifies it — a faked client-side { passed: true } carries no valid signature.

Adaptive model

Learns your traffic

A per-app anomaly model (Welford online stats) learns what normal looks like for your users. No global threshold. No retraining pipeline. Cold-start safe.

Threat intel

Every app defends the next

High-confidence blocks contribute anonymized subnet + JA4 signals to a shared blocklist. A bot caught on one Astra app is blocked across all of them.

InputGuard WAF

SQLi, XSS, NoSQLi — decoded

Client + server input scanning that decodes URL and HTML-entity payloads before matching, closing the %3Cscript%3E bypass most filters miss.

Up in
five minutes.

Works with React, Vue, Angular, and vanilla JavaScript. Node.js ≥ 18 required server-side.

Published to npm as astra-shield. Apache-2.0 with Commons Clause.

# Option A — curl installer (macOS / Linux)
curl -fsSL https://astrasec.xyz/install.sh | sh

# Option B — npm global install
npm install -g astra-shield

# Add shield to your project
astra add

# Verify setup
astra doctor

# ESM import
import { ASTRAShield } from 'astra-shield';

const shield = new ASTRAShield({
  endpoint: '/api/verify',
  tier: { ghost: true }
});

shield.init();

Stop apologising
for your security.

npm install -g astra-shield