How does our active DDoS protection work?

Learn how Framer safeguards your website against external attacks.

Framer uses advanced protection methods to secure your website, including a challenge page that some visitors may see—a spinner screen—during an attack. If you encounter this page, it means your site is under attack, and Framer is actively defending it against bots and downtime.

A black screen displaying the message, 'Checking your browser to make sure you're not a robot. This will only take seconds,' with a spinning blue loading icon beneath the text.

Website attacks, like Distributed Denial of Service (DDoS) attacks, are common. In a DDoS attack, attackers overwhelm your site by loading it simultaneously from numerous computers as quickly as possible, aiming to crash it.

Framer counters DDoS attacks with rate limiting. This method monitors how frequently pages are loaded by the same group of visitors. If traffic exceeds normal human behavior, visitors are likely bots and are blocked. However, since legitimate users might also be flagged, Framer requires their browser to solve a quick CPU-based puzzle in the background. This verification process takes about half a second on a fast computer, allowing access once completed.

For normal visitors, this check is invisible. Bots sending millions of requests per second would take years to solve these puzzles, effectively stopping them while ensuring regular users can browse without interruption.

Key considerations

  • During an attack, your site may respond with a 429 error code (too many requests) and display a challenge page. Although this might trigger uptime alarms, your site remains functional and protected. You can configure your alarm to ignore 429 responses if needed.

  • Protection is automatically disabled after the attack ends, and the challenge page disappears for all visitors.

  • SEO is not negatively impacted. The 429 status code signals crawlers, like Google’s bot, to retry later. Your site will be crawled again once the attack subsides.