JavaScript integration for Cloak4U
The JavaScript integration is the fastest way to add Cloak4U’s invalid-traffic detection: a single async script tag. It needs no server changes, works on static sites and site builders, fails open to your normal page, and respects privacy by using only minimal signals. This guide covers the snippet, where to place it, how it behaves, and how to test it.
cloak4u-javascript-integration.pngHow the JavaScript integration works
When a visitor loads your page, the async script fetches and runs without blocking your content. It gathers a few non-sensitive signals available in the browser, asks Cloak4U for a decision, and acts only when the service returns an explicit block or challenge. Valid visitors see nothing — the page loads exactly as it always has. Because the tag is async and the logic fails open, a slow or blocked script never breaks your site.
Before you start
- A Cloak4U campaign and its token from the dashboard.
- Access to your page template or site builder’s custom-code area.
- The ability to edit the head or footer of your landing page.
Replace YOUR_APP_DOMAIN with your Cloak4U app domain and demo_tok_XXXXXXXX with your campaign token. The token in the script URL is a public site token used to load the client — treat it as public, and keep any private server keys out of client code.
The script tag
Add this single tag to your page. It is a safe placeholder — swap in your real values.
<script src="https://YOUR_APP_DOMAIN/secure.js/demo_tok_XXXXXXXX" async></script>The async attribute lets the browser continue rendering while the script loads, so your content is never held up waiting for detection.
Where to place it
You can place the tag in either of two spots:
- Before
</head>: the script starts loading as early as possible, so the decision is available sooner. Best when you want detection to run before most of the page is interactive. - Before
</body>: the script loads after your main content, prioritizing perceived page speed. Best when render performance is your top priority.
Either placement works because the tag is async. On a site builder, paste it into the “custom code” or “header/footer scripts” area rather than editing raw HTML.
How it behaves
- Fails open: if the script is blocked, times out, or errors, the visitor continues to your normal page. Detection never takes your site down.
- Non-blocking: the async tag does not delay rendering of your content.
- Acts only on a decision: valid visitors are untouched; only visits the service classifies as invalid are blocked or challenged.
- Same destination for everyone: all valid visitors reach the same approved page.
Privacy and data
The client is built to respect privacy. It works from minimal, non-sensitive signals to score traffic quality and deliberately avoids sensitive data:
- It does not read passwords, form field contents, or uploaded files.
- It does not harvest cookies or session storage to identify individuals.
- IPs are masked or hashed in the dashboard UI, and retention is configurable.
For the full details of what is and is not collected, see the privacy policy.
Testing your integration
- Normal visit: load your page and confirm it renders normally with the script present in the page source.
- Network check: in your browser dev tools, confirm the script requests
secure.jsfrom your app domain and that a failure does not break the page. - Block path: use a test decision URL or preview token from the dashboard to simulate a block and confirm the blocked experience appears.
- Logs: verify visits appear in your Cloak4U click log with a decision, reason code, and risk score.
Limitations and risks
Client-side detection is the easiest to deploy but runs in the browser, so a determined bot can ignore JavaScript more easily than it can bypass a server-side check. It also cannot act before the page begins loading. For stronger enforcement, combine it with the PHP integration or WordPress integration. As with any method, detection is probabilistic: Cloak4U does not guarantee that every bot is caught or that no legitimate visitor is ever challenged. Review your logs and tune sensitivity over time.
Conclusion
The JavaScript integration is the quickest path to filtering invalid traffic: one async tag that fails open, avoids sensitive data, and keeps your page fast. Add it before your head or body close, test the normal and block paths, then watch your reports. When you need server-side enforcement too, layer on the PHP or WordPress integration.