ESA rolled out a free AI-powered CAPTCHA that uses a standalone verification page to produce signed verification parameters after a human check. Builders deploy it by serving a dedicated captcha.
ESA has released a free AI-powered CAPTCHA that defends website pages and APIs by routing visitors to a standalone human — verification page that issues signed verification parameters on success. The feature matters because the signed tokens serve as proof of human interaction that backends or protected pages must accept before granting access, blocking unauthenticated requests and limiting what automated scrapers can retrieve.
In the example provided, the flow uses two resources: a standalone captcha.html (the verification page) and a protected page named medici — capital.html. A typical visit to the site (example test URL: https://medicicapital.top) triggers ESA rewrite rules that redirect the user to captcha.html. After the user completes verification, captcha.html automatically redirects back to medici — capital.html while carrying the signed verification parameters. Direct requests to the protected page without those parameters return a 403 error.
Configuration requires operators to map a signature — verification API to the actual access page or API endpoint and to copy the SceneId and identity prefix values into the CAPTCHA code. The guidance also instructs administrators to add a rewrite rule so that index or empty — site requests load the standalone captcha.html, and to include both HTTPS and HTTP variants if their deployment requires it.
For builders, ESA provides a ready — to-use captcha.html you can copy and edit by replacing three placeholders: SceneId, identity prefix, and the post-verification target URL. That design keeps vendor logic off protected pages: the standalone CAPTCHA is the default landing page and hands off a verified signature on success rather than injecting vendor scripts directly into the business page.
SEA frames the approach as a countermeasure to increasingly capable AI scraping. By exposing only the CAPTCHA UI as the default landing content, automated crawlers can at most scrape the verification interface instead of the protected business page; the signed parameters in the redirect act as the backend — checked proof of human verification before access is granted.
Operational notes in the post emphasize that the feature is offered free on ESA and call out region — specific server names. When region is 'cn' operators should use captcha — esa-open.aliyuncs.com and captcha — esa-open-b.aliyuncs.com; sgp deployments should swap to the Singapore — based domains. The blog also notes you can customize the CAPTCHA frontend (the author suggests using AI to change styles) and replace medici — capital.html with your own protected page.
Sources
Replies (0)
No replies in this topic yet.
