Ensuring only web browsers can access your website

InfinityFree is a website hosting service. That means that the hosting accounts we provided are intended for hosting websites. Websites contain pages that are accessed through web browsers. InfinityFree is not intended to be used for file sharing, API hosting, database hosting or background tasks/tools.

To help enforce this, free hosting enforces a security system that makes sure that anyone trying to access your website is using a normal web browser. This is done by checking whether the web browser can execute Javascript code and can accept cookies.

Every modern web browser supports Javascript and cookies and can be used to access your website without any problems. Unless the visitor has specifically disabled Javascript or cookies in their browser, they can access your website without any problems. Almost all websites require cookies and Javascript to work correctly, so very few people will experience problems with this.

This security system also helps to protect your website against (malicious) bots. However, some functions of some applications won’t work correctly because of this system.

Which features are not supported?

Because of this security system, the following things will not work correctly or at all on websites on free hosting.

  • Access through Android or iOS mobile apps (mobile browsers work fine).
  • API access to websites (like WordPress XML-RPC).
  • Access from cURL or other command-line clients.
  • Website code validators and SEO checkers.
  • Domain ownership verification checks which look at website URLs or HTML code. Some webmasters tools and ad networks do this.
  • Let’s Encrypt and websites providing certificates through Let’s Encrypt (like sslforfree.com or zerossl.com).
  • AJAX requests from other websites (CORS). AJAX requests are only possible on the same (sub)domain.
  • Hotlinking and embedding images and other (static) files on other websites.

Which errors can I expect?

When trying to access your website with an unsupported client, you may see one of the following errors:

  • 403 Forbidden
  • This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support
  • No ‘Access-Control-Allow-Origin’ header is present on the requested resource

Specifically, content like this is sent to the browser to validate whether it supports Javascript:

<html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("d3c143e907c1d71f78f0018d7dbf3ac7");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="https://hans.epizy.com/?i=2";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>

How does this security system benefit me?

The main advantage of this security system is that it’s very effective at blocking bad bots from accessing your website. There are many malicious crawlers on the internet who are searching for security problems to hack your website, rapidly guess login details to try and access protected sections in your website or hammer unprotected forms to send spam. This security system stops almost all of them.

Those malicious bots could also use a lot of server power, which can cause your website to be suspended if you use too much of it. So this security system helps to make sure that regular, legitimate website visitors can access your site without any problems.

Can search engine crawlers still access my website?

Despite being automated scripts, search engine crawlers can still access your website. The crawlers of all popular search engines can execute Javascript code and accept cookies. So search engines will have no problems indexing your website and your site can be visible in search engine results.

Note that some “search engine validator” scripts do not support Javascript and cookies, and will report that your website is inaccessible. However, this is an error with the validator tool, and does not prevent search engine crawlers from working correctly.

If you suspect your site is not being indexed correctly by search engines, you may wish to sign up for the Webmasters service from search engines like Google and Bing. From there you will be able to see if the search engines have any problems accessing your site.

Can I disable this security system?

No, this security system is mandatory on all websites and cannot be disabled.

If this security system means your website or application does not work as expected on InfinityFree, please consider to moving your website to premium hosting. On premium hosting, this security system is not present (your website will be protected in less obtrusive ways), so you can access your website through other clients which are not browsers (like mobile apps, automated verification tools, etc.).

3 Likes

You have a spelling mistake.

8 Likes

why?

Please read the article. It explains why:

12 Likes

is premium plan can solve the problem of api access

Yes

4 Likes

good

A bit annoying, I could not use Ahrefs Webmaster Tools with my domain. And I am not sure why you as a separate company are trying to make people upgrade to premium

Please don’t mistake correlation for causation. The fact that this system is present on free hosting but not premium hosting does not mean that we purposely put this system on free hosting to bully you into upgrading.

The rules for free and premium hosting are generally the same, but with premium hosting, they are just implemented in a more lenient way to avoid impact on legitimate websites.

And iFastNet is a separate company, yes, but they pay for the majority of the free hosting costs. And iFastNet they have made it clear that they need a healthy upgrade percentage to be able to continue the service. So there is definitely an incentive to upgrade. InfinityFree also gets kickbacks on upgrades.

The purpose of this system is to protect our servers and your website from bad bots. Since we only provide website hosting, the impact this system has is acceptable in our opinion.

5 Likes

All a bot has to do to bypass all this is accept cookies and be able to run JavaScript!

Which takes more resources than you’d think. And APIs still won’t work.

5 Likes

It also has to be able to set cookies and keep track of redirects and such, which is usually way more then what basic HTTP libraries can handle.

6 Likes

It depends on the kind of bot. Any bot that uses a (headless) browser will have no trouble bypassing this system, but the overwhelming majority of bots are simple scrapers that just use basic HTTP calls, because it’s much simpler, more efficient and more scalable.

Most bots just scour the internet looking for easy targets. And this browser check system makes a site no longer an easy target.

The security system is definitely not unbreakable, and will do little to stop a targeted attack. But it will block the armies of spam crawler just looking for easy prey.

6 Likes

A post was split to a new topic: Change site name