Skip to main content

Client-side JavaScript Agent

The client-side JS agent is required for displaying challenge pages, and collects additional telemetry to improve threat detection and visitor categorisation.

Challenges are served within an iframe when a VerifiedVisitors mitigating response is detected. This works by listening for fetch and XMLHttpRequest calls from the browser and checking the responses sent by a server-side integration.

The additional data collected makes it possible to detect automated scripts and browsers such as headless chrome and puppeteer stealth.

Setup

Embed the following snippet in your <head> element:

<link rel="preconnect" href="https://resources.verifiedvisitors.com" />
<link rel="preconnect" href="https://api.verifiedvisitors.com" />
<script async src="https://resources.verifiedvisitors.com/vvfp.min.js"></script>
note

This is done automatically by the Cloudflare worker implementation.

Content-Security-Policy

If your site uses Content-Security-Policy (CSP), make sure the following directives are set:

connect-src https://api.verifiedvisitors.com
script-src https://resources.verifiedvisitors.com
worker-src blob:
style-src 'unsafe-inline'

Configuration

Listening for fetch and XMLHttpRequest calls can be disabled by configuring the agent before loading, like so:

<script>
    var vvcfg = {
        interceptFetch: false,
    }
</script>
<script async src="https://resources.verifiedvisitors.com/vvfp.min.js"></script>

White labelling

note

JS agent white labelling is available upon request. Please contact us for more information.

By default the JS agent is sourced from and pushes telemetry to our domains. This can potentially be identified and blocked by browsers and ad blockers. White labelling allows the JS agent to be loaded as a first-party script on your domain, along with any sent telemetry.

This works by pointing an alias subdomain (as a CNAME) to the VerifiedVisitors whitelabel domain we provide you. The JS agent then detects when it's loaded from a white label domain and automatically targets that domain for further telemetry.

If present, your CAA DNS record for the root domain of your alias domain must include pki.goog, letsencrypt.org, or both. VerifiedVisitors uses Google Managed certificates to provision and maintain the certificates for the white label domain your alias points to.