Our Protection Philosophy
Kyvic operates on a principle of intelligent, risk-based filtering. Our primary goal is to remain completely invisible to your legitimate human visitors. Instead of showing a challenge to everyone periodically, our system analyzes incoming traffic for suspicious signals (such as request patterns and browser characteristics). Only when a visitor is flagged as potentially automated or malicious do we present one of our powerful Kyvic-Aegis illusion challenges. We use this intelligent approach for two key reasons:- Frictionless User Experience: Security shouldn’t punish your users. By challenging traffic selectively, we drastically reduce user friction, lower bounce rates, and preserve the trust your visitors have in your brand. We stop bots, not customers.
- High-Efficacy Challenges: When a threat is detected, we deploy a decisive defense. Our illusions are a computational dead end for AI, ensuring that when a challenge is necessary, it is highly effective at stopping automated threats.
A Note on Early AccessDuring our Early Access phase, our detection model is continuously learning and improving. We are focused on perfecting this balance between a seamless user experience and ironclad security, and your feedback is precious in this process.
Platform Compatibility
Kyvic operates as an edge reverse proxy, sitting between your visitors and your server. To set it up, you’ll need the ability to modify your domain’s DNS records (specifically, the CNAME and TXT records). Our service works best for websites operating on a single domain (e.g.,www.example.com). It also fully supports sites that load resources from multiple subdomains (e.g., assets.example.com). Please be aware, some sites have strict browser security policies (like CORS or CSP) that control how resources are shared between domains. If you encounter issues with assets not loading, a minor configuration adjustment by your web developer may be needed.
For maximum security, we strongly recommend protecting any critical subdomains with Kyvic as well. This creates a comprehensive shield and prevents origin IP/hostname exposure, making it significantly harder for attackers to target your server directly.
| Platform / Website Type | Supported? | Reason / Notes |
|---|---|---|
| Self-Hosted Websites (e.g., WordPress, Joomla, Drupal) | ✅ Yes | You have full DNS control to point your domain to Kyvic. |
| Cloud & VPS Hosting (e.g., AWS, DigitalOcean, Linode, Hetzner) | ✅ Yes | Ideal use case. You have complete control over your domain and server infrastructure. |
| Managed Blogs & CMS (e.g., WordPress.com, Blogger, Medium) | ✅ Yes* | Our specific setup guide for managed platforms is required. |
| Managed Website Builders (e.g., Webflow, Squarespace) | ✅ Yes* | Our specific setup guide for managed platforms is required. |
| Managed E-commerce (e.g., Shopify, BigCommerce, WooCommerce.com) | ⚠️ Partial Support* | Our specific setup guide for managed platforms is required. |
| Real-Time Apps (WebSockets, chat apps, live streaming) | ❌ No (Experimental) | Support is highly experimental and unstable. Functionality is not guaranteed during the Early Access phase. |
| DRM-Protected Video/Media (e.g., Netflix clones) | ❌ No | Our proxy can interfere with the secure Digital Rights Management (DRM) path required for protected content. |
An Important Note on Managed Platforms (WordPress.com, Shopify, etc.)Managed platforms don’t offer the same firewall control as self-hosted servers. That’s why we currently use the “secret subdomain” method to obfuscate your origin (see our Quickstart Guide for Managed Platforms).
The reality: Your secret subdomain can leak through SSL certificate transparency logs, search engines, or historical DNS records. If discovered, attackers can bypass Kyvic by accessing it directly.
Why it still matters: This approach stops automated scrapers and casual attackers who aren’t actively hunting for origins. It’s not foolproof, but it raises the barrier significantly since most bots and bad actors won’t invest the effort to search certificate logs or DNS history.
Platform reliability varies: static platforms (WordPress.com, Blogger, GitHub Pages, Netlify) tend to work well, while dynamic platforms like Shopify are less predictable.
Looking ahead: We’re actively researching more robust protection methods for managed platforms that don’t rely on origin obscurity. For now, this provides meaningful protection for most scenarios. Facing sophisticated and targeted attacks? Self-hosted solutions offer the strongest security controls.
The reality: Your secret subdomain can leak through SSL certificate transparency logs, search engines, or historical DNS records. If discovered, attackers can bypass Kyvic by accessing it directly.
Why it still matters: This approach stops automated scrapers and casual attackers who aren’t actively hunting for origins. It’s not foolproof, but it raises the barrier significantly since most bots and bad actors won’t invest the effort to search certificate logs or DNS history.
Platform reliability varies: static platforms (WordPress.com, Blogger, GitHub Pages, Netlify) tend to work well, while dynamic platforms like Shopify are less predictable.
Looking ahead: We’re actively researching more robust protection methods for managed platforms that don’t rely on origin obscurity. For now, this provides meaningful protection for most scenarios. Facing sophisticated and targeted attacks? Self-hosted solutions offer the strongest security controls.
Key Features at a Glance
By pointing your domain to Kyvic, you get more than just a next-gen captcha. You instantly upgrade your website’s infrastructure.| Feature | Your Benefit | How It Works |
|---|---|---|
| Kyvic-Aegis Illusions 🧠 | Stops automated AI traffic without frustrating your real users. | Our unique, user-friendly challenges require human logic that current AI cannot replicate, effectively filtering out non-human traffic. |
| Essential DDoS Protection 🛡️ | Your site stays online, even during a high-volume attack. | Our network automatically detects and absorbs large-scale traffic floods (L3, L4, and L7 attacks). |
| Intelligent Traffic Control 🚦 | Protects your server from being overwhelmed by suspicious activity. | Our system automatically identifies and throttles (rate-limits) suspicious traffic patterns, providing an extra layer of defense. |
| Web Security Headers 🪖 | Hardens your site against common browser-based attacks like clickjacking. | We automatically add best-practice security headers (like HSTS and X-Frame-Options) to every response from your website. |
| Automatic SSL Certificates 🔒 | Your site is secured with HTTPS, building visitor trust. | We automatically provision and renew a free, trusted SSL certificate for your custom domain. No configuration is needed. |
| Global Edge Network 🌍 | A fast and reliable experience for your visitors, wherever they are. | Your security checks and content are served from a data center near your visitor, ensuring minimal latency. |
| Basic Traffic Analytics 📊 | Understand your site’s traffic patterns at a glance. | A simple dashboard shows you the volume of requests your site receives, helping you monitor for traffic spikes and trends. |