Access Control

Access Control is a powerful tool that allows you to create and manage rules for controlling access to your website. By defining specific criteria, you can ensure that only legitimate users can interact with your content, while blocking unwanted bot traffic and spam.

Rules are created dynamically by our ML threat models — emerging attack patterns are detected across our platform and counter-rules are deployed in real time, so new threats are caught the moment they appear. You can also configure rules manually to block traffic by IP, geo-location, browser, device, TLS fingerprint and more — useful for incident response or organisation-specific policies.

Access Control
How it works

Why Access Controls are the ideal choice

Access Controls allow you to dynamically block bots by automatically creating rules based on user behavior.

No personal data collection

Unlike traditional bot protection services, our system collects and stores the least amount of personal data, protecting user privacy.

Enhanced security and user experience

Prevent bots and spam without compromising user trust. Access rules restrict unwanted traffic, ensuring your server resources are available for genuine users.

Easy integration

Enjoy a simple implementation process for websites of all sizes. It's designed to work seamlessly with various platforms through the use of a single line of JavaScript - no DNS changes required.
Why Prosopo

The benefits of choosing Prosopo Access Control

Customizable rules

Create tailored rules to meet your specific security needs based around IP Address, Geo-location, User-Agent, Device, JA4 Fingerprints, Header Hashes, and more.

Real-time protection

Protect your website from bots and spam in real-time with dynamically changing rules.

User-friendly interface

Easily manage and update custom access rules with a simple interface.

AI-driven insights

Turbo-charge your protection by enabling AI-assisted rule generation and implementation, reducing your security team's burden.

GDPR compliance

Our privacy policy complies with the law and guidelines of GDPR.

How Prosopo Access Control works

An access rule combines one or more conditions with a policy. When a verification request matches every condition in a rule, the policy is applied instead of your site's default challenge. Rules are evaluated by specificity — a more precisely targeted rule always wins over a broader one — so you can layer broad defaults with surgical overrides.

Each rule has an expiry, which makes Access Control just as useful for short, sharp responses to live attacks as it is for long-running policy.

What you can match on

Conditions describe who the rule applies to. You can mix and match any of the fields below in a single rule.

FieldWhat it matchesExample use
IP addressA single IPv4 addressBlock a specific abuser
IP range (CIDR)A subnet such as 192.168.1.0/24Restrict a VPN gateway or corporate network
ASNAn Autonomous System Number, i.e. a hosting provider, ISP or VPN networkThrottle traffic from a noisy cloud host without listing every IP it owns
CountryStandard two-letter country codeApply tighter rules to regions seeing high abuse
User AgentThe browser or client string sent by the requestBlock headless browsers and scripted clients
JA4 fingerprintA TLS-level fingerprint of the clientCatch automation tooling that varies its User Agent but not its TLS stack
User IDAn identifier you pass through your integrationApply per-user policies for known accounts

What you can do when a rule matches

When a rule matches, you choose how to respond:

  • Block — fail the verification outright. Use this for known-bad sources.
  • Require an image or puzzle challenge — present an image or puzzle CAPTCHA with a configurable number of rounds. Useful for suspicious-but-not-confirmed traffic.
  • Require Proof of Work — issue a computational challenge at a difficulty you choose. Slows automation down without asking the user to click anything.

Built for incident response and long-term policy

Because every rule carries an expiry, Access Control fits two very different jobs:

  • Live incident response. When an attack starts, drop in a short-lived rule (minutes or hours) targeting the offending IP range, ASN or fingerprint. The rule lapses on its own once the wave is over — no cleanup, no risk of forgotten overrides.
  • Standing policy. Long-running rules let you encode business decisions: stricter checks for high-risk regions, custom challenges for partner networks, allow-by-default for trusted user IDs.

How Prosopo Access Control compares

Full capability Partial / caveat Not available
CapabilityProsopo Access ControlTraditional WAF rulesreCAPTCHA / hCaptcha
Block by ASN / hosting network Limited
Block by TLS (JA4) fingerprint Rarely
Per-rule custom challenge (image, puzzle, PoW difficulty)
Rule expiry built in Manual cleanupN/A
GDPR-compliant data handling Varies
No DNS changes required DNS-routed

Common use cases

Configuration reference

Detailed field formats, policy options and rule-matching behaviour are documented in the Access Control Rules reference.

Request a Demo of Prosopo Access Control

Access Control is part of our Enterprise product. Please contact our sales team who will be happy to provide you with a quote.

Tell us about your bot problem

We'll get back to you straight away

By submitting this form, you agree to our Privacy Policy and Terms of Service

By the numbers

Trusted by companies of all sizes.

Active websites
0+
Monthly verifications
0+
Bots stopped per month
0+
Reviews

Our customers love us.

Hundreds of businesses have made the switch from reCAPTCHA and hCaptcha to Prosopo. Here's what they have to say.

Frequently Asked Questions

What is Access Control?

Access Controls are customizable rules that help you control access to your website. They allow you to define specific criteria for granting or denying access, ensuring that only legitimate users can interact with your content.

How does Access Control work?

Access Control works by evaluating user behavior and interactions against predefined criteria. If a user's actions match the criteria for blocking, they will be denied access, while legitimate users will be allowed through.

Can I customize the Access Rules?

Yes, you can customize the Access Rules based on your specific needs and business requirements. This flexibility allows you to tailor the rules to align with your security policies.

More from Prosopo

What else can Prosopo protect for you?

No matter the threat, we have a solution to keep your business safe.

Product

Access Control

Prosopo's Access Control dynamically generates rules to protect your website from bots and spam.

Learn more
Access Control
Product

API Protection

Stop automated abuse of your API endpoints with Prosopo's bot-aware verification and access control.

Learn more
API Protection
Product

Risk Scoring

Prosopo's Risk Scoring provides real-time analysis of user behavior to identify potential threats.

Learn more
Risk Scoring
Product

Spam Bot Protection: Stop Form Spam Before It Lands

Spam bot protection that blocks fake signups, throwaway emails and abusive networks before they reach your forms — without breaking the experience for real users.

Learn more
Spam Bot Protection: Stop Form Spam Before It Lands
Product

Invisible CAPTCHA

Prosopo's Invisible CAPTCHA provides seamless bot protection without disrupting the user experience.

Learn more
Invisible CAPTCHA
Product

Procaptcha - GDPR Compliant CAPTCHA

With Prosopo's GDPR friendly captcha, enjoy seamless website security. Protect users, prevent bots, and stay compliant - all while keeping it simple.

Learn more
Procaptcha - GDPR Compliant CAPTCHA