reForge Captcha proudly releases reForge CAPTCHA v3.0.0 — a complete rebuild focused on bypass protection, full browser fingerprinting, and false positive elimination.

March 2026 marks the most significant update to our bot detection system yet.

Overview

Three major development rounds transformed the widget and token generation:

1. Bypass protection — Made automation impossible

2. Full browser fingerprinting — Comprehensive bot signals

3. Risk engine rebuild — Eliminated false positives while catching sophisticated bots

Result: Legitimate users pass easily. Bots fail consistently.

Round 1: Bypass Protection

Widget Changes

• Mouse movement tracking: Records up to 50 x/y coordinates from page load

• Honeypot checkbox: Invisible trap for programmatic input enumeration

• Timing guards: Minimum 600ms + 3 mouse movements before API call

• Invisible widget fixed: Proper useCapture: true submit blocking

• Managed widget fixed: Correct spinner state during score request

• All widgets now generate tokens reliably on interaction

Token Generation

• Rewritten risk scoring: Starts neutral, applies meaningful penalties

• Mouse movement penalty: -0.40 for zero movements

• Page time penalty: -0.30 (<200ms), -0.15 (<800ms)

• Expanded UA blacklisting: Puppeteer, Playwright, Go-http, more

• Screen dimensions check: Zero width/height penalized

• Rate limiting: Max 30 attempts/IP/10min — logged and blocked

Round 2: Full Browser Fingerprinting

Widget Fingerprinting

New collectBrowserFingerprint() function sends comprehensive signals:

Automation globals detected:
navigator.webdriver, window.callPhantom, __nightmare, __selenium_unwrapped, domAutomation, _Selenium_IDE_Recorder, __webdriver_script_fn, awesomium, __playwright, puppeteer_evaluation_script, __agentql, __stagehand, __browseruse

Headless Chrome signals:

• Zero plugins/mimeTypes

• Zero outerWidth/outerHeight

• Chrome without chrome.runtime

Rendering checks:

• WebGL: SwiftShader (ss), LLVMpipe (ll), VirtualBox (vb), VMware (vm)

• Canvas fingerprint: Blank/disabled canvas (cb)

• AudioContext: Missing (nac)

• Languages: Empty list (nla)

• Hardware concurrency: ≤1 (lhc)

• Touch/pointer mismatch (tpm)

Hard blocks (immediate rejection): All automation flags + nod/ss/ll flags

Server-Side Enhancements

• AI crawler UAs: GPTBot, ClaudeBot, PerplexityBot, etc.

• IP reputation: Recent failure rate penalties (-0.35/70%, -0.15/40%)

• No tokens for failed requests

Round 3: False Positive Elimination

Complete scoring redesign:

New base score: 0.50 (neutral) — users earn upward through positive signals

Positive Trust Signals (Bot-Proof)

• Mouse movement: +0.20 (50+), +0.15 (20+), +0.10 (5+), +0.03 (1+)

• Mouse entropy: +0.10 (>0.4), +0.05 (>0.15)

• Page time: +0.12 (4s+), +0.08 (1.5s+), +0.04 (600ms+)

• Scroll events: +0.08 (5+), +0.04 (any)

• Keystroke rhythm: +0.05 (>20ms stddev)

• Mouse speed variance: +0.05 (>0.05 stddev)

• Chrome.runtime: +0.05

Smart Flag System (Fixed False Positives)

Stacked penalty model (not individual):

• 1-2 flags: No penalty

• 2-3 flags: -0.05

• 4-5 flags: -0.15

• 6+ flags: -0.35

Result Thresholds

Score 0.00-0.29: FAILED (no token) Score 0.30-0.49: SUSPICIOUS (token + challenge escalation) Score 0.50-1.00: PASSED (token issued)

Impact

Bots: Near-100% detection rate
Real users: Dramatically reduced false positives
reForge Captcha: Now enterprise-grade risk engine

Available now on:
reforgecaptcha.cloud

— reForge Captcha Team