Browser Security System - Features and Limitations

Documentation Websites and PHP
1

InfinityFree uses a security system on all free hosting accounts to ensure your website is accessed by real web browsers, not bots or automated scripts. While this protects your site from malicious traffic, it can affect certain types of access.

How the security system works

The system checks that visitors can execute JavaScript and accept cookies: features that all modern web browsers support. This verification happens automatically and most website visitors will never notice it.

You may occasionally see ?i=1 or similar parameters in your URL during this check, this is completely normal. [Learn more about URL parameters](link to article 1).

What doesn’t work with this security system

Because the system requires JavaScript and cookies, these types of access won’t work:

Mobile and desktop apps

  • Android or iOS mobile apps cannot connect to your website
  • Desktop applications that try to fetch content from your site
  • Progressive web apps (PWAs)
  • Note: Mobile web browsers work perfectly fine

API and automated access

  • REST APIs, WordPress XML-RPC, and similar services
  • Command-line tools like cURL or wget
  • Automated scripts and bots
  • Webhooks from external services

Development and validation tools

  • Website validators and SEO checking tools
  • Domain verification systems used by some ad networks and webmaster tools

Cross-site requests

  • AJAX requests from other domains (CORS)
  • Embedding images or files from your site on other websites (hotlinking)

What still works normally

The security system only affects access to your website from external sources. These features work perfectly fine:

Outbound requests from your site

  • Your website’s code can make API calls to external services
  • Server-side scripts can fetch data from other websites
  • External database connections work normally

Same-domain JavaScript requests

  • AJAX calls within your own website work fine
  • Single Page Applications (SPAs) can call APIs on the same domain
  • JavaScript can fetch data from your own site’s endpoints

The key principle is that anything accessed through a real web browser, or outbound connections from your site, will work as expected.

Common error messages

When incompatible tools try to access your site, you might see:

  • 403 Forbidden: The most common error for blocked requests
  • “This site requires Javascript to work”: Shows when JavaScript is disabled or unavailable
  • “No ‘Access-Control-Allow-Origin’ header”: Appears for blocked cross-domain requests

Benefits of this system

Protection from malicious bots: The system blocks automated attacks, login attempts, and spam bots that could compromise your site or consume server resources.

Prevents resource overuse: Malicious bots can quickly consume your account’s resource limits, potentially causing your website to be suspended. This security system helps ensure your resources are available for legitimate visitors.

Search engine compatibility: All major search engines (Google, Bing, etc.) support JavaScript and cookies, so your site will be indexed normally. Some validator tools may report issues, but actual search engine crawlers work fine.

Can I disable this system?

No, this security system is mandatory on all free hosting accounts and cannot be disabled.

If your website or application needs the blocked features, consider premium hosting. Premium hosting protects your site using less restrictive methods, allowing mobile apps, APIs, and automated tools to work normally.

Need help with specific issues?

6 Likes
3

You have a spelling mistake.

11 Likes
5

why?

2 Likes
6

Please read the article. It explains why:

14 Likes
7

is premium plan can solve the problem of api access

2 Likes
8

Yes

5 Likes
9

good

1 Like
10

A bit annoying, I could not use Ahrefs Webmaster Tools with my domain. And I am not sure why you as a separate company are trying to make people upgrade to premium

11

Please don’t mistake correlation for causation. The fact that this system is present on free hosting but not premium hosting does not mean that we purposely put this system on free hosting to bully you into upgrading.

The rules for free and premium hosting are generally the same, but with premium hosting, they are just implemented in a more lenient way to avoid impact on legitimate websites.

And iFastNet is a separate company, yes, but they pay for the majority of the free hosting costs. And iFastNet they have made it clear that they need a healthy upgrade percentage to be able to continue the service. So there is definitely an incentive to upgrade. InfinityFree also gets kickbacks on upgrades.

The purpose of this system is to protect our servers and your website from bad bots. Since we only provide website hosting, the impact this system has is acceptable in our opinion.

7 Likes
12

All a bot has to do to bypass all this is accept cookies and be able to run JavaScript!

13

Which takes more resources than you’d think. And APIs still won’t work.

6 Likes
14

It also has to be able to set cookies and keep track of redirects and such, which is usually way more then what basic HTTP libraries can handle.

7 Likes
15

It depends on the kind of bot. Any bot that uses a (headless) browser will have no trouble bypassing this system, but the overwhelming majority of bots are simple scrapers that just use basic HTTP calls, because it’s much simpler, more efficient and more scalable.

Most bots just scour the internet looking for easy targets. And this browser check system makes a site no longer an easy target.

The security system is definitely not unbreakable, and will do little to stop a targeted attack. But it will block the armies of spam crawler just looking for easy prey.

9 Likes
16

A post was split to a new topic: Change site name

17

I apologize, but I want to know:

This security system sends a cookie (if one has not been set yet), redirects to the page again with ?i=(X)(If cookie wasn’t set), determines the number connected to i to either execute code to validate or go to a “Cookies Disabled” page.

This security system, since it may involve visiting a page twice or more, does it count against our Hits counter?

18

I would imagine it counts as 1 hit, but I can’t be sure.

19

once and for all let me repeat :slight_smile:

aes.js is executed before anything else (it is the first thing in some hierarchy)

The challenge is run before the traffic actually hits the user’s account
and only when someone passes that part where they check if they can run JS and store cookies then,
only then does the server space (your web files) get accessed
and only then do HITs start being calculated

or in short aes is not counted as hits

8 Likes
20

I tinkered with an Android App and of course hit the Brick-Wall with the AES.
Now, I do understand security concerns and such, but if one does a tad bit of digging and can basically cancel out that feature, the Question comes up, why bother with it in the first Place? For many, this “feature” has been more an annoyance than benefit. Often Developers use services such as this Site to “play” with new ideas and explore options and possibilities. For the most part, I have completely reverted to other options. Mainly also due to the fact that help is lagging. There is an ancient Post about .htaccess being instantly deleted, solution? None. Solve? Nope.
Now, I have my work around using Android and AES, but digging was rather time consuming.

21

It’s mostly there to prevent bot attacks, web crawling nightmares, etc. Yes, it is possible to work around, but note that if you use your workaround to violate the terms of service, your website will be suspended.

7 Likes
22

Thanks for ignoring the .htaccess Question.