# AppiCryptWeb
## Value at glance * Block scripted abuse and tampered requests before they consume resources by attaching integrity flags to each API call. * Accurate threat intelligence combining bot detection, tampering flags and incognito state delivered per request. * Reliable user tracking and session correlation through persistent browser fingerprinting that works across tabs and sessions. {% hint style="info" %} Premium Users: View [premium documentation here](https://docs.talsec.app/premium-integration-documentations/). {% endhint %} ## Key Protections and Use Cases AppiCryptWeb delivers robust defenses against a wide range of threats, enabling secure API interactions for diverse applications. Here's how it protects: * **Bot and Automation Detection**: Flags scripted bots, headless browsers, and automation frameworks to prevent API scraping, credential stuffing, and DDoS-like abuse. * **Tampering Prevention**: Detects native object manipulation and request alterations, safeguarding against injection attacks and modified payloads. * **Incognito Mode Monitoring**: Tracks private browsing to enforce policies on anonymous sessions, reducing fraud in high-risk scenarios. * **Self-Integrity Checks**: Ensures the agent's own code hasn't been bypassed, providing verifiable runtime health per request. These protections power critical use cases, including: * **AI Scrapers and Data Harvesting**: Stop large language models and crawlers from extracting proprietary data via APIs. * **Content Protection**: Secure media delivery and prevent unauthorized downloads or embeds in video streaming or publishing platforms. * **Ads Revenue Safeguarding**: Block ad blockers, scripted views, and fake traffic to maintain accurate monetization metrics. * **DRM Enforcement**: Verify legitimate browser environments for digital rights management in software distribution and content access. * **Scalping and Inventory Abuse**: Prevent automated ticket or product grabs on e-commerce sites by flagging high-velocity bot activity. * **API Scraping Defense**: Protect endpoints from bulk data exfiltration in financial, healthcare, or research APIs. ## Showtime! Want to see the AppiCryptWeb in action? Try the[ live demo](https://appicryptwebdemo.talsec.app) yourself. Open it in a normal browser, then try it with Playwright or Puppeteer and see what happens. ## How it works A WebAssembly agent generates a signed cryptogram per API request containing browser fingerprint, threat flags, and a caller-provided nonce bound to that specific call. The backend evaluator verifies signatures, validates freshness and nonce binding, extracts the browser fingerprint and threat data, computes a risk score, and returns detailed assessment context for customer decision logic. ## Why it's different * **Request-bound attestation**: nonce binding and signed cryptograms with embedded fingerprints give strong replay resistance and user correlation per call. * **WebAssembly performance**: near-native execution speeds with minimal overhead, achieving fast cryptogram generation while running heavy operations off the main thread without blocking UI. * **Hacking resistance**: WebAssembly's isolated execution, dual-agent architecture, message channel separation, and cryptographic module signatures make bypassing or tampering extremely difficult, with self-checks and backend provenance verification ensuring integrity. ## Integration **Frontend**: include the WebAssembly agent using JavaScript glue, initialize once with the magic file, then call `getCryptogram` with a short nonce and send it in a header such as `appicrypt`. **Backend**: install the evaluator to decrypt and verify signatures, extract browser fingerprint and threat flags, check freshness and nonce, compute risk score, and pass the assessment context to existing business logic. ## What's included * **Browser fingerprint:** stable imprint for persistent user identification across sessions and tabs. * **Threat flags**: tampering of native objects, automation traits, user-agent spoofing, incognito mode, and agent self-integrity. * **WebAssembly advantages**: small compressed footprint, asynchronous operation that doesn't block the UI thread, and cryptographically signed modules with backend-verifiable provenance traces. ## Broad Compatibility AppiCryptWeb works seamlessly across all major mobile and desktop browsers, engines, and environments, ensuring consistent protection without compatibility headaches: * **Desktop Browsers**: Chromium 80+ (Chrome, Brave), Edge 80+, Opera 66+, Firefox 114+, Safari 15+. * **Mobile Browsers**: Android WebView (Android 11+, Android 10 with updated WebView), iOS WKWebView 15+ (covering Safari Mobile, Chrome Mobile, Firefox Mobile). * **Rendering Engines**: Full support for Blink (Chromium-based), Gecko (Firefox), and WebKit (Safari/iOS). * **Hybrid & Embedded**: Electron (for desktop apps), Tizen 6.5+, webOS 22+ for smart TVs and embedded web views. This wide coverage means you can deploy it confidently on web apps, PWAs, SPAs, and hybrid mobile experiences. ## Get started Add the WebAssembly package, initialize with the magic file, generate a fresh nonce plus cryptogram per request, and send it in a custom header. Install the evaluator at backend or edge, verify and score the cryptogram, extract fingerprint and threat data, and use the assessment context in existing authorization and fraud logic.