What is Anubis?
Anubis is a Web AI Firewall Utility that protects websites from AI scraper bots using SHA-256 proof-of-work challenges. It acts as a reverse proxy between your users and your application, weighing the soul of each connection to ensure legitimate traffic reaches your backend. Built in Go, Anubis is lightweight and designed to help protect the small internet from the endless storm of AI scraper requests that flood in from AI companies.SHA-256 proof-of-work
Client-side computational challenges that are expensive for bots but transparent for browsers
Policy-based detection
Flexible YAML policies to identify and handle bots using user agents, paths, headers, and CEL expressions
JWT authentication
Secure token-based session management with ED25519 or HS512 signing
Multiple storage backends
In-memory, bbolt, Valkey, or S3-compatible storage for challenge state
Thoth integration
Optional IP reputation database for GeoIP and ASN-based filtering
Reverse proxy
Built-in reverse proxy with TLS support, unix sockets, and custom headers
How it works
Anubis sits in front of your web application as a reverse proxy. When a request comes in:- Policy evaluation: Anubis checks the request against your configured bot policies
- Action determination: Based on the matching rule, Anubis can:
- ALLOW: Pass the request directly to your backend
- CHALLENGE: Present a proof-of-work challenge to verify the client is a real browser
- DENY: Block the request entirely
- WEIGH: Adjust a weight score that feeds into threshold-based rules
- Challenge validation: If challenged, the browser solves a SHA-256 puzzle and receives a JWT cookie
- Future requests: The JWT cookie allows subsequent requests to bypass challenges
Key features
Flexible bot detection
Define bot rules using multiple criteria:- User-Agent regex patterns
- Path-based matching
- Header inspection
- CIDR ranges for IP filtering
- GeoIP and ASN filtering (with Thoth)
- Custom CEL expressions for complex logic
Multiple challenge algorithms
Anubis supports several challenge types defined inlib/challenge/:
- fast: Default SHA-256 proof-of-work optimized for speed
- slow: CPU-intensive variant to punish aggressive scrapers
- metarefresh: HTTP meta refresh for clients without JavaScript
- preact: Interactive browser-based challenge
Production-ready features
- Configurable difficulty levels (0-64 leading zero bits)
- Cookie domain management with dynamic domain support
- Base path prefix support for hosting under subpaths
- Prometheus metrics at
/metrics - Health check endpoint at
/healthz - Hot-reloadable policy configurations
- Structured logging with configurable levels
When to use Anubis
Anubis is designed for situations where:- You’re experiencing high load from AI scraper bots
- You can’t or don’t want to use commercial bot protection services
- You need fine-grained control over which bots to allow or block
- You want a self-hosted, open-source solution
- Your infrastructure can run a Go binary or Docker container
Important considerations
This is security software. Anubis is designed to protect your application from potentially adversarial traffic. Configuration errors can result in:- Blocking legitimate users
- Allowing bot traffic through
- Session invalidation on restart (if not using persistent storage with signing keys)
Next steps
Quickstart
Get Anubis running in minutes with Docker
Configuration
Learn how to configure Anubis for your environment
Bot policies
Understand how to write effective bot detection rules
Deployment
Deploy Anubis behind your reverse proxy