diff --git a/lua/anti_ddos_challenge.lua b/lua/anti_ddos_challenge.lua
index fee52dc..414324a 100644
--- a/lua/anti_ddos_challenge.lua
+++ b/lua/anti_ddos_challenge.lua
@@ -262,6 +262,17 @@ but if not I completely understand hence why I made it a option to remove them f
 ]]
 local credits = 1 --enabled by default
 
+--[[
+Javascript variables generated by the script to be static in length or Dynamic setting this as dynamic is the best form of security
+
+1 = Static
+2 = Dynamic
+]]
+local dynamic_javascript_vars_length = 2 --dynamic default
+local dynamic_javascript_vars_length_static = 10 --how many chars in length should static be
+local dynamic_javascript_vars_length_start = 1 --for dynamic randomize min value to max this is min value
+local dynamic_javascript_vars_length_end = 10 --for dynamic randomize min value to max this is max value
+
 
 --[[
 End Configuration
@@ -367,17 +378,36 @@ for i = 48,  57 do table.insert(charset, string.char(i)) end --0-9 numeric
 --for i = 65,  90 do table.insert(charset, string.char(i)) end --A-Z uppercase
 --for i = 97, 122 do table.insert(charset, string.char(i)) end --a-z lowercase
 table.insert(charset, string.char(95)) --insert number 95 underscore
+local stringrandom_table = {} --create table to store our generated vars to avoid duplicates
 local function stringrandom(length)
 	--math.randomseed(os.time())
 	if length > 0 then
-		--return "a"
-		return stringrandom(length - 1) .. charset[math.random(1, #charset)]
+		local output = stringrandom(length - 1) .. charset[math.random(1, #charset)]
+		local duplicate_found = 0 --mark if we find a duplicate or not
+		for _, value in next, stringrandom_table do --for each value in our generated var table
+			if value == output then --if a value in our table matches our generated var
+				duplicate_found = 1 --mark as duplicate var
+				output = "_" .. output --append an underscore to the duplicate var
+				table.insert(stringrandom_table , output) --insert to the table
+			end
+		end
+		if duplicate_found == 0 then --if no duplicate found
+			table.insert(stringrandom_table , output) --insert the output to our table
+		end
+		return output
 	else
 		return ""
 	end
 end
 --stringrandom(10)
 
+local stringrandom_length = "" --create our random length variable
+if dynamic_javascript_vars_length == 1 then --if our javascript random var length is to be static
+	stringrandom_length = dynamic_javascript_vars_length_static --set our length as our static value
+else --it is to be dynamic
+	stringrandom_length = math.random(dynamic_javascript_vars_length_start, dynamic_javascript_vars_length_end) --set our length to be our dynamic min and max value
+end
+
 --shuffle table function
 function shuffle(tbl)
   for i = #tbl, 2, -1 do
@@ -516,7 +546,7 @@ local function encrypt_javascript(string1, type, defer_async, num_encrypt, encry
 		local chunks_order = {} --create our chunks table for string storage that stores the value only
 
 		while i <= l do
-			local random_var = stringrandom(10) --create a random variable name to use
+			local random_var = stringrandom(stringrandom_length) --create a random variable name to use
 			--table.insert(chunks_order, "decodeURIComponent(escape(window.atob(_" .. random_var .. ")))")
 			table.insert(chunks_order, "_" .. random_var .. "") --insert the value into our ordered table
 			table.insert(chunks, 'var _' .. random_var .. '="' .. base64_javascript:sub(i,i+r).. '";') --insert our value into our table we will scramble
@@ -678,7 +708,7 @@ local function grant_access()
 	--if x-auth-answer is correct to the user unique id time stamps etc meaning browser figured it out then set a new cookie that grants access without needed these checks
 	local req_headers = ngx.req.get_headers() --get all request headers
 	if req_headers["x-requested-with"] == "XMLHttpRequest" then --if request header matches request type of XMLHttpRequest
-		if req_headers[x_tor_header_name] == x_tor_header_name_value then --if the header and value are what we expect then the client is legitimate
+		if req_headers[x_tor_header_name] == x_tor_header_name_value and req_headers[x_auth_header_name] == JavascriptPuzzleVars_answer then --if the header and value are what we expect then the client is legitimate
 			remote_addr = tor_remote_addr --set as our defined static tor variable to use
 			
 			challenge = calculate_signature(remote_addr .. challenge_original .. currentdate) --create our encrypted unique identification for the user visiting the website again. (Stops a double page refresh loop)
@@ -792,7 +822,7 @@ if javascript_REQUEST_TYPE == "POST" then
 
 end
 
-local JavascriptPuzzleVariable_name = "_" .. stringrandom(10)
+local JavascriptPuzzleVariable_name = "_" .. stringrandom(stringrandom_length)
 
 --[[
 Begin Tor Browser Checks