How does our active DDoS protection work?

Learn how Framer safeguards your website against external attacks.

Framer protects your website from attacks using various methods. One noticeable method is the challenge page, where some visitors might see a spinner before accessing your site.

If you see this page, your site is under attack, and we are protecting it from bots and downtime.

Website attacks are common on the internet, and any site can be a target. One frequent type of attack is a Distributed Denial of Service (DDoS) attack. In a DDoS attack, many computers simultaneously load your site as quickly and frequently as possible, aiming to overwhelm it and cause it to crash.

The most effective protection against DDoS attacks is rate limiting. This involves monitoring how often a page is loaded by the same group of visitors. If visitors access the site more frequently than a normal human would, they are likely bots and should be blocked. Some blocked clients might be real visitors, as the check is not foolproof. Instead of blocking them, we ask their browser to solve a quick puzzle in the background, which takes around half a second on a fast computer. This puzzle is similar to Sudoku but for your CPU. If you solve it, you can access the site as usual.

This quick puzzle will likely go unnoticed by normal visitors. However, if you're sending millions of requests per second, it would take years to solve all the puzzles. This makes it an effective way to prevent bots from overwhelming your site while allowing regular visitors to pass through.

Key Considerations

  • When your site is under attack, it responds with a 429 error code (too many requests) and shows a challenge page. This may trigger uptime alarms, but it's essential to understand that your site is not down – it's being protected from an attack. If you find the notifications annoying, you can configure your alarm to ignore 429 responses.

  • Once the attack slows down, we will automatically disable site protection, and the challenge page will disappear for everyone.

  • There is no expected negative SEO impact. The 429 status code signals crawlers (like the Google bot) to come back later, ensuring your website is crawled again after the attack is over.