Change default from Dynamic GET and POST to just POST requests with XMLHttpRequest object the reason being is to avoid unwanted conflicts with caches on proxy servers / services (Cloudflare proxy being a prime culprit of this).
Add feature to automatically get the connecting Clients IP Address without needing to manually set it in the config, I decided to make this for compatibility with every service connecting to your server. It can now work with Cloudflare, Proxies, Tor Direct connections etc simultaneously.
Fix output for remote_addr on Authentication page in HTML, If you change the variable `local remote_addr =` in your settings / setup / config at the start of the script the output on the auth page where it should say `IP Address` would be what you set the `remote_addr` as so to fix it and ensure it stays as an IP Address not User-Agent etc I manualy set it back with logical operators.
Fix for Javascript refreshing the page before the browser has a chance to set the cookies in response.
Fix to stop Firefox browsers message "firefox prevented this page from automatically reloading"
Remove un-used junk code.
Remove junk javascript code.
Change the timer text element to inform the user to refresh their page incase their browser blocks it. (Firefox is a prime culprit of this "firefox prevented this page from automatically reloading")
correctly use vars expected_header_status and authentication_page_status_output
simplify and faster exit in case of ajax request
default authentication_page_status_output status to 503 otherwise google and other crawlers index this page
Add feature to allow disabling of my credits as much as credit to be recieved is nice i do understand and realise people do not want to display them on their sites hence why i made it a feature to allow you to remove them easily and swiftly. :)
Add Enable/disable script this feature allows you to turn on or off this script so you can leave this file in your nginx configuration permamently.
This way you don't have to remove `access_by_lua_file anti_ddos_challenge.lua;` to stop protecting your websites :) you can set up your nginx config and use this feature to enable or disable protection.
Remove un-needed Javascript from my development stages where i planned Javascript based header response checks all not needed.
Change Javascript page refresh method from `window.location.reload();` to `location.reload(true);` as the Mozilla docs tell us we should be reloading pages this way. https://developer.mozilla.org/en-US/docs/Web/API/Location/reload
Fix Nginx Lua Bug with ngx.header["Set-Cookie"] function for some reason it only allows one instance of this header to be defined in a script. So to fix the issue I define the header once and only once in the entire script right at the end and set a variable that can be dynamic in setting multiple cookies.
Add cors headers and include XMLHTTPREQUEST with credentials tag and remove domain tag from set-cookie to fix issue with Google Chrome. Still broken in Microsoft Edge !?
Added Feature built in my method to encrypt and obfuscate Javascript outputs. (I am very proud of this!)
Bug fix: incase certain browsers lack in permissions to set cookies with javascript on the initital header request we will give them their cookie they still need javascript enabled to solve the authentication puzzle that will always be mandatory!
Added X-Requested-* headers for the next feature i am building in
Move current time variable out of configuration area.
Create currentdate variable to stop calling os.date() and os.time() multiple un-needed times.
Fix bug now the auth page only shows when the expire_time config value is set and around the time before if you had set a time greater than one day every 24 hours you would recieve the auth page even if your cookies are valid this expire_time checks solves that problem.
Add new security feature to make the cookies we set encrypted, unpredictable, dynamic and unique to each user/client to increase our security from content scrappers bots leechers etc. Where as before they could monitor static cookie names this prevents that.
Add new security feature to make the header we sent our Javascript answer from the browser over unpredictable and dynamic to increase our security from content scrappers bots leechers etc.
Remove Search Engines from the Browsers Javascript Checking (This will allow search engines to crawl still like Google because they can execute Javascript)
Fix expire_time description to show correct default time of 1 day.
Fix cookie bug when Javascript was setting a cookie it was setting a cookie of 'now' instead of the set config of expire_time into the future when the cookie should expire.
Added the challenge cookie to the headers set by grant_access function to update the cookie set by Javascript since the time stamp on the cookie would be out of sync with the other cookies otherwise this was all cookies will be updated and set/kept with the same time stamps.
