One common problem for popular websites is how to allow humans to access your content while preventing bots from doing the same. This would be an easy problem if all bots honestly declared themselves via the user-agent parameter, but as you can imagine, many malicious bots seek to hide their identity. The standard solution is to require users to complete a CAPTCHA . But how often do you show a CAPTCHA? On every visit? Once, and then never again?

In this guide, we'll create a policy that requires visitors to fill out an initial CAPTCHA early -- after 10 visits within a 12 minute window, but then allows for a 30 visit grace interval before they encounter another challenge.

a human visits 10 times, successfully completes a CAPTCHA, then visits 30 more times before they see another

The goal of this policy is to root out bots early while minimizing the number of CAPTCHAs that real humans have to complete. The subsequent CAPTCHAs are to filter out bots that might have gotten lucky against previous CAPTCHA challenges.


First, create a page group to represent our protected content. Go to the page groups page and click the "New page group" button. In this example, we'll imagine a set of profile pages /profile/1, /profile/2, etc. To simplify our page group, we'll use regular expression "/profile/.+" to match these pages. The ".+" means "one or more of any character".

page group named "profile" with single page "/profile/.+"

For most policies, we would also want to create a visitor group to represent which visitors the policy should apply to. However, since we want this policy to apply to all visitors, we can use the system default any.

The next step would be to create a policy to require the CAPTCHA. Go to the policies page and click "New policy". Our policy will require any visitor to complete a CAPTCHA after 10 visits to profile pages. But after that, they'll only be asked to fill out a CAPTCHA challenge once every 30 visits.

policy named "prove you're human" that reads "When visitors in any visits profile page(s) 10 times in 12 hours then require CAPTCHA every 30 visits."

The initial 10 visits is set in the frequency section, and the grace interval is a special configuration that applies only to CAPTCHA authorization policies. The field will become available after the CAPTCHA authorization is selected.

after selecting the CAPTCHA authorization, the grace interval should appear

This tutorial gives you a sense of how to craft a simply policy to present CAPTCHA challenges to filter out bots from specific content. Gatekeeper is very flexible, so you can customize policies to be more appropriate to the traffic that your site sees. For more information on how you can apply different levels of strictness based on who is visiting you, see this tutorial.