Saltearse al contenido
ALTCHA ALTCHA ALTCHA

Esta página aún no está disponible en tu idioma.

Header Entropy

Client HTTP headers are used to help identify unique devices through EDK identifiers and contribute to the client’s threat score (risk and penalty). Starting with ALTCHA Sentinel version 1.31.0, Sentinel tracks distinct combinations of HTTP headers and evaluates the commonality of provided User-Agent values to help mitigate abuse.

Key Capabilities

  • Tracks device-provided HTTP headers to detect spoofing and abusive behavior.
  • Scores User-Agent commonality using an automatically updated database of known identifiers.

Tracking Header Entropy

ALTCHA Sentinel tracks and limits the number of unique HTTP header combinations sent by a device per IP address. This helps mitigate abuse techniques that rely on rotating headers to bypass protection by impersonating different devices.

Enabling Header Entropy Tracking

This feature is automatically enabled when using Autopilot. By default, Autopilot applies a limit of 10/4h, allowing up to 10 distinct header combinations within a 4-hour period per IP address.

To enable this feature without Autopilot, configure the Security Group rule headerEntropyLimit with a rate limiter value. This value specifies how many distinct header combinations are allowed within a given time interval. When the limit is exceeded, the client receives an HTTP 429 Too Many Requests response.

Security Group rules:

[
  {
    "action": "set",
    "conditions": [],
    "set": [
      {
        "field": "headerEntropyLimit",
        "value": "10/4h"
      }
    ]
  }
]

By default, Sentinel stores up to 100 distinct header combinations per IP address to limit storage usage. This limit can be adjusted using the HEADER_ENTROPY_MAX_ENTRIES environment variable. Rate limiter values greater than the configured storage limit will never be triggered.

Risk and Penalty

By default, each newly observed header profile increases the internal risk and penalty score by 1. This raises proof-of-work complexity and may activate additional protection layers, such as the Adaptive CAPTCHA, when Autopilot is enabled.

You can adjust this behavior using the Security Group rule headerEntropyRiskFactor, which accepts a decimal value between 0.0 and 10.0 (default: 1.0).

Tracked Headers

Header entropy is calculated using the following device-identifying headers:

  • Accept-Language
  • Sec-CH-UA
  • Sec-CH-UA-Mobile
  • Sec-CH-UA-Platform
  • User-Agent

User-Agent Commonality

To distinguish real-world devices from bots and randomly generated User-Agent strings, Sentinel uses a list of commonly observed User-Agents. By default, this list is provided by intoli/user-agents, although a custom list can also be configured (see Data Sources).

The default dataset contains more than 6,000 distinct User-Agent strings. If the client’s User-Agent is present in the dataset, a commonality score greater than 0.0 is assigned based on the popularity of the browser and platform. If the User-Agent is uncommon or appears randomly generated, the commonality score is 0, indicating a higher likelihood of automated traffic.

User-Agent commonality scoring is always enabled. When Autopilot is enabled, uncommon User-Agents receive an additional risk penalty, which increases proof-of-work complexity and may trigger other protection mechanisms.