How does our active DDoS protection work?


How does our active DDoS protection work?

Learn how Framer safeguards your website against external attacks.

Framer safeguards your website from attacks using different methods, but the one you might notice is the challenge page, where some visitors might see a spinner before they can visit your site.

If you see this page, your site is under attack and we are protecting it from robots and downtime.

Website attacks are a common occurrence on the internet, and any type of site can be a target. One of the most common types of attacks is a Distributed Denial of Service (DDoS) attack. In a DDoS attack, a large group of computers simultaneously loads your site as quickly and frequently as possible, with the goal of overwhelming it and causing it to crash.

The most effective protection against DDoS attacks is rate limiting. This involves monitoring how often a page is loaded by the same group of visitors. If the visitors access the site more frequently than a normal human would, it's likely they're robots and should be blocked. Some blocked clients might actually be real visitors, as the check is not foolproof. Instead of blocking them, we ask their browser to solve a quick puzzle in the background, which takes around half a second on a fast computer. This puzzle is similar to a Sudoku, but for your CPU. If you successfully solve it, you can access the site as usual.

This quick puzzle will likely go unnoticed by normal visitors. However, if you're sending millions of requests per second, it would take years to solve all the puzzles. This makes it a very effective way to prevent robots from overwhelming your site while allowing regular visitors to pass through.

Key Considerations

  • When your site is under attack, it responds with a 429 error code (too many requests) and redirects to a challenge page. This may trigger uptime alarms, but it's essential to understand that your site is not down – it's being protected from an attack. If you find the notifications annoying, you can configure your alarm to ignore 429 responses.

  • Once the attack slows down, we will automatically disable site protection, and the challenge page will disappear for everyone.

  • There is no expected negative SEO impact. The 429 status code signals crawlers (like the Google bot) to come back at a later point in time, which ensures your website is crawled again after the attack is over.