@cadey really cool! I made my own one of these too, originally it was used as antispam for forms (origanally i had called it a captcha) but I started using it to protect against indexer bots too, in a different context.

https://git.sequentialread.com/forest/pow-bot-deterrent

Here's a demo: https://picopublish.sequentialread.com/files/PHkVvC41/moss.jpg

Also, about the JS requirement. I haven't "upstreamed" this into the pow-bot-deterrent package yet but when I ran into spam issues with the capsul.org login page, I had to do something for js-free users (or just people who have webworkers disabled n stuff).

Eventually I settled on just asking them to send an email to a specific address. Then there's a separate process which stays connected to the mailbox over IMAP and waits for messages. Then when it gets one it returns a blocking http call, so the user can log in right away.

The code is a mess cuz I made it in a hurry but:

https://git.cyberia.club/cyberia/capsul-flask/src/branch/main/capsulflask/auth.py#L172

https://git.cyberia.club/cyberia/smtpd-delivery-monitor/src/branch/main/main.go#L361

Just saw this and wanted to share my experience w/ this kinda thing, its v. cool, I really don't like google captcha / cloudflare