Skip to content

Frequently Asked Questions

What is Checkpoint?

v4Guard Checkpoint is a non-intrusive security widget that detects and prevents the use of VPNs or any anonymization services, ensuring legitimate user interactions on sensitive areas of a website.

Works in a similar way to a regular captcha, but in this case with no interaction required from the user, and with anonymization detection capabilities.

How does Content-Security-Policy (CSP) affect Checkpoint?

CSP allows you to define a set of rules to whitelist the domains that can be used on your site. If you have a strict CSP policy, you must whitelist the domains used by Checkpoint, otherwise it will not work.

Checkpoint is loaded via a script tag, and renders the widget on a iframe, so you must add the following directives to your CSP policy:

  • script-src:
  • frame-src:

What can the "action" parameter be used for?

v4Guard Checkpoint allows you to "tag" your challenges with a custom action value, this value will be stored in our analytics and show you which actions are being performed by your users, and their total percentage.

For example, if you have the same site key for your website, and you have Checkpoint on your login page, and on your signup page, you can use the "action" parameter to differentiate between the two actions.

Also, the "action" parameter will be returned on the Server-side validation response, so you can use it to identify the action that was performed by the user.

How long is the Checkpoint token valid for?

The Checkpoint token is valid for 300 seconds (5 minutes) after being issued. If the user does not submit the form within this time, the challenge will expire and will show an informative message to the user.

Any expired token will be rejected by the Server-side validation endpoint with a INVALID_TOKEN error.

Is it safe to use Checkpoint tokenverify on the client-side?

No, the token validation must always be done on the server-side, otherwise the secret key will be exposed. Also, validating the token on the client-side means that the validation could be skipped and bypassed by an attacker.

What differentiates Checkpoint from normal captchas?

The normal captchas are vulnerable to automated attacks. Most of the times a normal captcha can be bypassed just by having a headless browser automated to click on the "Im not a robot" button, and if it requires more user interacting, there are AI and machine learning algorithms that can solve captchas by listening to the audio (Voice To Text) or by analyzing the images (Image Recognition).

Checkpoint is a non-intrusive widget that will detect and prevent the use of VPNs, proxies and any anonymization services, ensuring only legitimate user interactions on sensitive areas of a website.

Your question is not listed here?

Feel free to contact us at Discord or via email at [email protected] and we will gladly help.