A simple client-side answer checker for puzzlehunts. Of course, requires JavaScript. As is typical, considers every answer as a string of letters A–Z by changing lowercase letters to uppercase and stripping any other characters. Built on Richard Moore’s scrypt-js, an implementation of Colin Percival’s scrypt.


To create an answer checker, enter your answer below and click Generate URL:

Correct answer:

What this answer checker is for (optional):

The Fine Print

This answer checker sort of tries to be cryptographically reasonable, but errs towards staying fast and not break, because this shouldn’t be a high-security setting. Also no settings (see e.g. this Beeminder essay, although URLs are versioned so we can keep things backwards-compatible). If you do have a use case for a client-side answer checker that requires stronger cryptographic guarantees, or (e.g.) a different policy for canonicalizing answers, let me know and I will consider it. Or just take this code and change it. There’s really not that much.

The label is used in the hash in order to somewhat discourage a “meddler-in-the-middle” attack of the following form: You publish a puzzle using an answer checker URL, labeled to indicate your authorship and perhaps that the puzzle comes from a competitive setting. An adversary who can’t solve your puzzle modifies your puzzle and the answer checker URL to remove your label and then republishes the modified puzzle and checker under their own name. Or, in the competitive setting, they can send the modified puzzle and checker URL to an innocent solver who is unaware of the puzzle’s original context and trick them into solving it for the adversary. Including the label in the hash prevents these attacks, at the cost of making relabeling URLs harder for legitimate purposes. However, even with the label used in the hash, the adversary can rehost this checker or create a checker that proxies answer checks to it in a way that embeds the label used in the hash but doesn’t surface it to the solver. Or they can just withhold the answer checker from the solver altogether and manually proxy any answers the solver wishes to check.

Does any of this matter? Probably not, but occupational hazard. You still probably shouldn’t use this checker in any setting with actual stakes where competitive integrity is actually important. I mean, you can use this anywhere you think it fits, but don’t sue me if somebody breaks the checker because I missed a different protocol break, or set the scrypt parameters incorrectly, or anything else. Let me copy in the liability incantation from the Blue Oak Model License: As far as the law allows, this software comes as is, without any warranty or condition, and no contributor will be liable to anyone for any damages related to this software or this license, under any kind of legal claim.