So I kind of set up another level of security well not really more of a gate to help block more bots and scrapers that seem to bypass robots.txt and whatever enhancements and blocks you have in your .htaccess file, these currently are working on my #friendica instance fairly well so maybe they can help someone maybe they do nothing;

First at the very top of your index.php in the root of your friendica directory right after the <? I added the following code,

// --- ALIEN GATE START ---
$request = $_SERVER['REQUEST_URI'] ?? '';

// 0. Signed cookie (prevents bots forging it)
$secret_key = 'Your_Alien_Secret';
$valid_cookie = hash_hmac('sha256', 'verified', $secret_key);
$has_cookie = isset($_COOKIE['instance_access']) &&
              hash_equals($valid_cookie, $_COOKIE['instance_access']);

if (!$has_cookie) {

    // 1. Federation / machine endpoints (never gate)
    $is_fediverse =
        str_contains($request, '/.well-known/') ||
        str_contains($request, '/activitypub/') ||
        str_contains($request, '/api/') ||
        str_contains($request, '/assets/');

    // 2. Static assets (never gate)
    $is_static = preg_match('/\.(css|js|png|jpg|ico|svg|woff2)$/i', $request);

    // 3. Only gate the root URL
    if ($request === '/' && !$is_fediverse && !$is_static) {
        require 'gate.php';
        exit;
    }

    // 4. Prevent bypass via /index.php
    if ($request === '/index.php') {
        header('Location: /');
        exit;
    }
}
// --- ALIEN GATE END ---

then I created in the root directory again, gate.php

 <?php
// 1. VERIFICATION LOGIC
if (isset($_GET['nonce']) && isset($_GET['seed'])) {
    $nonce = (int)$_GET['nonce'];
    $seed = $_GET['seed'];
    $check_hash = hash('sha256', $seed . $nonce);

    // Verify hash matches the "000" requirement
    if (str_starts_with($check_hash, '000')) {
        $secret = 'Your_Alien_Secret';
$token  = hash_hmac('sha256', 'verified', $secret);
setcookie("instance_access", $token, time() + 86400 * 30, "/");
        header("Location: /index.php");
        exit;
    }
}

// 2. CHALLENGE UI
$seed = bin2hex(random_bytes(16));
?>
<html>
<head>
    <title>Access Verification</title>
    <link href="https://fonts.googleapis.com/css2?family=Atkinson+Hyperlegible+Mono&display=swap" rel="stylesheet">
    <style>
        body {
            display: flex;
            flex-direction: column;
            justify-content: center;
            align-items: center;
            height: 100vh;
            margin: 0;
            font-family: 'Atkinson Hyperlegible Mono', monospace;
            background-color: #f4f4f9;
            color: #333;
        }
        .container {
            text-align: center;
            padding: 2rem;
            background: white;
            border-radius: 8px;
            box-shadow: 0 4px 6px rgba(0,0,0,0.1);
        }
    </style>
</head>
<body>
    <div class="container">
        <h2>Your Instance Name</h2>
        <h3>Verification Required</h3>
        <p id="status">Your Computer Is Solving A Security Challenge To Prove You Are A Human...</p>
        <p>Your Computer Is Solving A Security Challenge To Prove You Are A Human...</p>
        <p>Your Privacy Matters, No Data Is Recorded...</p>
    </div>

    <script>
        const seed = "<?php echo $seed; ?>";
        let nonce = 0;

        async function sha256(message) {
            const msgUint8 = new TextEncoder().encode(message);
            const hashBuffer = await crypto.subtle.digest('SHA-256', msgUint8);
            return Array.from(new Uint8Array(hashBuffer)).map(b => b.toString(16).padStart(2, '0')).join('');
        }

        async function solve() {
            const startTime = Date.now();
            
            while (true) {
                let hash = await sha256(seed + nonce);
                if (hash.startsWith("000")) {
                    const elapsed = Date.now() - startTime;
                    const remaining = 2000 - elapsed;
                    
                    if (remaining > 0) {
                        document.getElementById('status').innerText = "Verifying human interaction...";
                        await new Promise(r => setTimeout(r, remaining));
                    }
                    
                    window.location.href = `?nonce=${nonce}&seed=${seed}`;
                    break;
                }
                nonce++;
            }
        }
        solve();
    </script>
</body>
</html>

in both places change Your_Alien_Secret for your actual matching secret, and maybe it will help kill some bot and scrapers from hitting your instance so hard;

⚖️ License (MIT)
Copyright (c) 2026 pasjrwoctx👽 (Philip A. Swiderski Jr.)

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE

@Friendica Support @Friendica Developers @Friendica Admins

You can encourage my continued useless ideas, and by doing so your helping to feed, house and clothe a #disabled man living in #poverty, $5-10-15 It All Helps, via #cashapp at $woctxphotog or via #paypal at paypal.com/donate?campaign_id=…