I don't know what have I done but I'd say I get blocked by cloudflare a few visits per week. It's not a huge deal but it's very annoying

It's usually explained as site owner sets stringent security settings.

This tool does block JavaScript-disabled browsers though. There's a comment here that complained about the pain Anubis causes with cookie-less browsers, but they got downvoted.

There's also "checkpoint" [1] which works without Javascript. As far as I can tell they cover the same use case with a very similar user experience.

[1]: https://github.com/vaxerski/checkpoint

That's great, but noscript tag is used for a long time to abuse noscript users in various ways, so it makes sense to hide it.

how can it work without javascript. I have skimmed through the readme and it says cryptographic challenge.

How can anyone provide a cryptographic challenge without javascript feels like black magic.

Can you please explain to me how it works without javascript?

It just gives a perl script to run HashCash. https://github.com/vaxerski/checkpoint/blob/main/html/explai...

Javascript might be better to run in scratchpad.

I have plans involving IP reputation and a few other behaviors I've noticed. The main problem is that all my ideas involve cookies.

IP reputation will be subject to very high false negative rates because some unscrupulous bots have taken to laundering their traffic through residential proxy companies. There are alternatives to cookies like Etags, but they have their own issues.