docs: document how to import the default config

Signed-off-by: Xe Iaso <me@xeiaso.net>

.github/actions/spelling/allow.txt

@@ -10,4 +10,3 @@ ABee
 tencent
 maintnotifications
 azurediamond
-cooldown

.github/dependabot.yml

@@ -8,8 +8,6 @@ updates:
       github-actions:
         patterns:
           - "*"
-    cooldown:
-      default-days: 7
 
   - package-ecosystem: gomod
     directory: /
@@ -19,8 +17,6 @@ updates:
       gomod:
         patterns:
           - "*"
-    cooldown:
-      default-days: 7
 
   - package-ecosystem: npm
     directory: /
@@ -30,5 +26,3 @@ updates:
       npm:
         patterns:
           - "*"
-    cooldown:
-      default-days: 7

data/botPolicies.yaml

@@ -50,7 +50,8 @@ bots:
   #   user_agent_regex: (?i:bot|crawler)
   #   action: CHALLENGE
   #   challenge:
-  #     difficulty: 16 # impossible
+  #     difficulty: 16  # impossible
+  #     report_as: 4    # lie to the operator
   #     algorithm: slow # intentionally waste CPU cycles and time
 
   # Requires a subscription to Thoth to use, see
@@ -248,6 +249,7 @@ thresholds:
       # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh
       algorithm: metarefresh
       difficulty: 1
+      report_as: 1
   # For clients that are browser-like but have either gained points from custom rules or
   # report as a standard browser.
   - name: moderate-suspicion
@@ -260,6 +262,7 @@ thresholds:
       # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
       algorithm: fast
       difficulty: 2 # two leading zeros, very fast for most clients
+      report_as: 2
   - name: mild-proof-of-work
     expression:
       all:
@@ -270,6 +273,7 @@ thresholds:
       # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
       algorithm: fast
       difficulty: 4
+      report_as: 4
   # For clients that are browser like and have gained many points from custom rules
   - name: extreme-suspicion
     expression: weight >= 30
@@ -278,3 +282,4 @@ thresholds:
       # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
       algorithm: fast
       difficulty: 6
+      report_as: 6

data/common/acts-like-browser.yaml

@@ -0,0 +1,55 @@
+# Assert behaviour that only genuine browsers display. This ensures that modern Chrome
+# or Firefox versions will get through without a challenge.
+#
+# These rules have been known to be bypassed by some of the worst automated scrapers.
+# Use at your own risk.
+
+- name: realistic-browser-catchall
+  expression:
+    all:
+      - '"User-Agent" in headers'
+      - '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )'
+      - '"Accept" in headers'
+      - '"Sec-Fetch-Dest" in headers'
+      - '"Sec-Fetch-Mode" in headers'
+      - '"Sec-Fetch-Site" in headers'
+      - '"Accept-Encoding" in headers'
+      - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'
+      - '"Accept-Language" in headers'
+  action: WEIGH
+  weight:
+    adjust: -10
+
+# The Upgrade-Insecure-Requests header is typically sent by browsers, but not always
+- name: upgrade-insecure-requests
+  expression: '"Upgrade-Insecure-Requests" in headers'
+  action: WEIGH
+  weight:
+    adjust: -2
+
+# Chrome should behave like Chrome
+- name: chrome-is-proper
+  expression:
+    all:
+      - userAgent.contains("Chrome")
+      - '"Sec-Ch-Ua" in headers'
+      - 'headers["Sec-Ch-Ua"].contains("Chromium")'
+      - '"Sec-Ch-Ua-Mobile" in headers'
+      - '"Sec-Ch-Ua-Platform" in headers'
+  action: WEIGH
+  weight:
+    adjust: -5
+
+- name: should-have-accept
+  expression: '!("Accept" in headers)'
+  action: WEIGH
+  weight:
+    adjust: 5
+
+# Generic catchall rule
+- name: generic-browser
+  user_agent_regex: >-
+    Mozilla|Opera
+  action: WEIGH
+  weight:
+    adjust: 10

data/meta/default-config.yaml

@@ -35,6 +35,7 @@
 #   action: CHALLENGE
 #   challenge:
 #     difficulty: 16  # impossible
+#     report_as: 4    # lie to the operator
 #     algorithm: slow # intentionally waste CPU cycles and time
 
 # Requires a subscription to Thoth to use, see

docs/docs/CHANGELOG.md

@@ -23,43 +23,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add support to simple Valkey/Redis cluster mode
 - Open Graph passthrough now reuses the configured target Host/SNI/TLS settings, so metadata fetches succeed when the upstream certificate differs from the public domain. ([1283](https://github.com/TecharoHQ/anubis/pull/1283))
 - Stabilize the CVE-2025-24369 regression test by always submitting an invalid proof instead of relying on random POW failures.
-- Add Polish locale ([#1292](https://github.com/TecharoHQ/anubis/pull/1309))
-
-### Deprecate `report_as` in challenge configuration
-
-Previously Anubis let you lie to users about the difficulty of a challenge to interfere with operators of malicious scrapers as a psychological attack:
-
-```yaml
-bots:
-  # Punish any bot with "bot" in the user-agent string
-  # This is known to have a high false-positive rate, use at your own risk
-  - name: generic-bot-catchall
-    user_agent_regex: (?i:bot|crawler)
-    action: CHALLENGE
-    challenge:
-      difficulty: 16 # impossible
-      report_as: 4 # lie to the operator
-      algorithm: slow # intentionally waste CPU cycles and time
-```
-
-This has turned out to be a bad idea because it has caused massive user experience problems and has been removed. If you are using this setting, you will get a warning in your logs like this:
-
-```json
-{
-  "time": "2025-11-25T23:10:31.092201549-05:00",
-  "level": "WARN",
-  "source": {
-    "function": "github.com/TecharoHQ/anubis/lib/policy.ParseConfig",
-    "file": "/home/xe/code/TecharoHQ/anubis/lib/policy/policy.go",
-    "line": 201
-  },
-  "msg": "use of deprecated report_as setting detected, please remove this from your policy file when possible",
-  "at": "config-validate",
-  "name": "mild-suspicion"
-}
-```
-
-To remove this warning, remove this setting from your policy file.
 
 ### Logging customization
 

docs/docs/admin/configuration/challenges/metarefresh.mdx

@@ -12,6 +12,7 @@ To use it in your Anubis configuration:
   action: CHALLENGE
   challenge:
     difficulty: 1 # Number of seconds to wait before refreshing the page
+    report_as: 4 # Unused by this challenge method
     algorithm: metarefresh # Specify a non-JS challenge method
 ```
 

docs/docs/admin/configuration/challenges/preact.mdx

@@ -12,6 +12,7 @@ To use it in your Anubis configuration:
   action: CHALLENGE
   challenge:
     difficulty: 1 # Number of seconds to wait before refreshing the page
+    report_as: 4 # Unused by this challenge method
     algorithm: preact
 ```
 

docs/docs/admin/configuration/import.mdx

@@ -13,6 +13,8 @@ bots:
   - # This correlates to data/bots/ai-catchall.yaml in the source tree
     import: (data)/bots/ai-catchall.yaml
   - import: (data)/bots/cloudflare-workers.yaml
+  # Import all the rules in the default configuration
+  - import: (data)/meta/default-config.yaml
 ```
 
 Of note, a bot rule can either have inline bot configuration or import a bot config snippet. You cannot do both in a single bot rule.
@@ -35,6 +37,33 @@ config.BotOrImport: rule definition is invalid, you must set either bot rules or
 
 Paths can either be prefixed with `(data)` to import from the [the data folder in the Anubis source tree](https://github.com/TecharoHQ/anubis/tree/main/data) or anywhere on the filesystem. If you don't have access to the Anubis source tree, check /usr/share/docs/anubis/data or in the tarball you extracted Anubis from.
 
+## Importing the default configuration
+
+If you want to base your configuration off of the default configuration, import `(data)/meta/default-config.yaml`:
+
+```yaml
+bots:
+  - import: (data)/meta/default-config.yaml
+  # Write your rules here
+```
+
+This will keep your configuration up to date as Anubis adapts to emerging threats.
+
+## How do I exempt most modern browsers from Anubis challenges?
+
+If you want to exempt most modern browsers from Anubis challenges, import `(data)/common/acts-like-browser.yaml`:
+
+```yaml
+bots:
+  - import: (data)/meta/default-config.yaml
+  - import: (data)/common/acts-like-browser.yaml
+  # Write your rules here
+```
+
+These rules will allow traffic that "looks like" it's from a modern copy of Edge, Safari, Chrome, or Firefox. These rules used to be enabled by default, however user reports have suggested that AI scraper bots have adapted to conform to these rules to scrape without regard for the infrastructure they are attacking.
+
+Use these rules at your own risk.
+
 ## Importing from imports
 
 You can also import from an imported file in case you want to import an entire folder of rules at once.

docs/docs/admin/configuration/thresholds.mdx

@@ -41,6 +41,7 @@ thresholds:
     challenge:
       algorithm: metarefresh
       difficulty: 1
+      report_as: 1
 
   - name: moderate-suspicion
     expression:
@@ -51,6 +52,7 @@ thresholds:
     challenge:
       algorithm: fast
       difficulty: 2
+      report_as: 2
 
   - name: extreme-suspicion
     expression: weight >= 20
@@ -58,6 +60,7 @@ thresholds:
     challenge:
       algorithm: fast
       difficulty: 4
+      report_as: 4
 ```
 
 This defines a suite of 4 thresholds:
@@ -127,6 +130,7 @@ action: CHALLENGE
 challenge:
   algorithm: metarefresh
   difficulty: 1
+  report_as: 1
 ```
 
     </td>

docs/docs/admin/policies.mdx

@@ -84,6 +84,7 @@ This rule has been known to have a high false positive rate in testing. Please u
   action: CHALLENGE
   challenge:
     difficulty: 16 # impossible
+    report_as: 4 # lie to the operator
     algorithm: slow # intentionally waste CPU cycles and time
 ```
 
@@ -92,6 +93,7 @@ Challenges can be configured with these settings:
 | Key          | Example  | Description                                                                                                                                                      |
 | :----------- | :------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `difficulty` | `4`      | The challenge difficulty (number of leading zeros) for proof-of-work. See [Why does Anubis use Proof-of-Work?](/docs/design/why-proof-of-work) for more details. |
+| `report_as`  | `4`      | What difficulty the UI should report to the user. Useful for messing with industrial-scale scraping efforts.                                                     |
 | `algorithm`  | `"fast"` | The challenge method to use. See [the list of challenge methods](./configuration/challenges/) for more information.                                              |
 
 ### Remote IP based filtering

docs/manifest/cfg/anubis/botPolicies.yaml

@@ -49,6 +49,7 @@ bots:
   #   action: CHALLENGE
   #   challenge:
   #     difficulty: 16  # impossible
+  #     report_as: 4    # lie to the operator
   #     algorithm: slow # intentionally waste CPU cycles and time
 
   - name: rss-feed-blog
@@ -104,6 +105,7 @@ thresholds:
       # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh
       algorithm: metarefresh
       difficulty: 1
+      report_as: 1
   # For clients that are browser-like but have either gained points from custom rules or
   # report as a standard browser.
   - name: moderate-suspicion
@@ -120,6 +122,7 @@ thresholds:
       # challenge data, and forwards that to the client.
       algorithm: preact
       difficulty: 1
+      report_as: 1
   - name: mild-proof-of-work
     expression:
       all:
@@ -130,6 +133,7 @@ thresholds:
       # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
       algorithm: fast
       difficulty: 2 # two leading zeros, very fast for most clients
+      report_as: 2
   # For clients that are browser like and have gained many points from custom rules
   - name: extreme-suspicion
     expression: weight >= 30
@@ -138,6 +142,7 @@ thresholds:
       # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
       algorithm: fast
       difficulty: 4
+      report_as: 4
 
 dnsbl: false
 

lib/anubis.go

@@ -167,8 +167,8 @@ func (s *Server) hydrateChallengeRule(rule *policy.Bot, chall *challenge.Challen
 	if rule.Challenge.Difficulty == 0 {
 		rule.Challenge.Difficulty = chall.Difficulty
 	}
-	if rule.Challenge.ReportAs != 0 {
-		s.logger.Warn("[DEPRECATION] the report_as field in this bot rule is deprecated, see https://github.com/TecharoHQ/anubis/issues/1310 for more information", "bot_name", rule.Name, "difficulty", rule.Challenge.Difficulty, "report_as", rule.Challenge.ReportAs)
+	if rule.Challenge.ReportAs == 0 {
+		rule.Challenge.ReportAs = chall.Difficulty
 	}
 	if rule.Challenge.Algorithm == "" {
 		rule.Challenge.Algorithm = chall.Method
@@ -648,6 +648,7 @@ func (s *Server) check(r *http.Request, lg *slog.Logger) (policy.CheckResult, *p
 	return cr("default/allow", config.RuleAllow, weight), &policy.Bot{
 		Challenge: &config.ChallengeRules{
 			Difficulty: s.policy.DefaultDifficulty,
+			ReportAs:   s.policy.DefaultDifficulty,
 			Algorithm:  config.DefaultAlgorithm,
 		},
 		Rules: &checker.List{},

lib/anubis_test.go

@@ -464,6 +464,10 @@ func TestCheckDefaultDifficultyMatchesPolicy(t *testing.T) {
 			if bot.Challenge.Difficulty != i {
 				t.Errorf("Challenge.Difficulty is wrong, wanted %d, got: %d", i, bot.Challenge.Difficulty)
 			}
+
+			if bot.Challenge.ReportAs != i {
+				t.Errorf("Challenge.ReportAs is wrong, wanted %d, got: %d", i, bot.Challenge.ReportAs)
+			}
 		})
 	}
 }

lib/challenge/proofofwork/proofofwork_test.go

@@ -36,6 +36,7 @@ func TestBasic(t *testing.T) {
 		Challenge: &config.ChallengeRules{
 			Algorithm:  "fast",
 			Difficulty: 0,
+			ReportAs:   0,
 		},
 	}
 	const challengeStr = "hunter"

lib/config/config_test.go

@@ -110,6 +110,7 @@ func TestBotValid(t *testing.T) {
 				PathRegex: p("Mozilla"),
 				Challenge: &ChallengeRules{
 					Difficulty: -1,
+					ReportAs:   4,
 					Algorithm:  "fast",
 				},
 			},
@@ -123,6 +124,7 @@ func TestBotValid(t *testing.T) {
 				PathRegex: p("Mozilla"),
 				Challenge: &ChallengeRules{
 					Difficulty: 420,
+					ReportAs:   4,
 					Algorithm:  "fast",
 				},
 			},
@@ -359,6 +361,7 @@ func TestBotConfigZero(t *testing.T) {
 
 	b.Challenge = &ChallengeRules{
 		Difficulty: 4,
+		ReportAs:   4,
 		Algorithm:  DefaultAlgorithm,
 	}
 	if b.Zero() {

lib/config/testdata/good/thresholds.yaml

@@ -18,6 +18,7 @@ thresholds:
     challenge:
       algorithm: metarefresh
       difficulty: 1
+      report_as: 1
   - name: moderate-suspicion
     expression:
       all:
@@ -27,9 +28,11 @@ thresholds:
     challenge:
       algorithm: fast
       difficulty: 2
+      report_as: 2
   - name: extreme-suspicion
     expression: weight >= 20
     action: CHALLENGE
     challenge:
       algorithm: fast
       difficulty: 4
+      report_as: 4

lib/config/threshold.go

@@ -24,6 +24,7 @@ var (
 			Challenge: &ChallengeRules{
 				Algorithm:  "fast",
 				Difficulty: anubis.DefaultDifficulty,
+				ReportAs:   anubis.DefaultDifficulty,
 			},
 		},
 	}

lib/config/threshold_test.go

@@ -32,6 +32,7 @@ func TestThresholdValid(t *testing.T) {
 				Challenge: &ChallengeRules{
 					Algorithm:  "fast",
 					Difficulty: 1,
+					ReportAs:   1,
 				},
 			},
 			err: nil,

lib/localization/locales/manifest.json

@@ -15,7 +15,6 @@
     "nb",
     "nl",
     "nn",
-    "pl",
     "pt-BR",
     "ru",
     "tr",

lib/localization/locales/pl.json

@@ -1,66 +0,0 @@
-{
-    "loading": "Ładowanie...",
-    "why_am_i_seeing": "Dlaczego to widzę?",
-    "protected_by": "Chronione przez",
-    "protected_from": "Przed",
-    "made_with": "Stworzone z ❤️ w 🇨🇦",
-    "mascot_design": "Projekt maskotki:",
-    "ai_companies_explanation": "Widzisz to, ponieważ administrator tej strony skonfigurował Anubisa, aby chronić serwer przed masowym skanowaniem treści przez firmy tworzące AI. Powoduje to obciążenie i przestoje, przez co zasoby strony stają się niedostępne dla wszystkich.",
-    "anubis_compromise": "Anubis jest kompromisem. Używa mechanizmu Proof-of-Work w stylu Hashcash — proponowanego systemu ograniczania spamu e-mail. Pomysł polega na tym, że dla indywidualnych użytkowników dodatkowe obciążenie jest niezauważalne, ale w skali masowego skanowania koszt szybko rośnie.",
-    "hack_purpose": "Docelowo jest to rozwiązanie tymczasowe, aby zyskać czas na ulepszenie metod identyfikacji przeglądarek bez interfejsu graficznego (np. poprzez analizę renderowania czcionek), by w przyszłości nie musieć wyświetlać strony z zadaniem Proof-of-Work użytkownikom, którzy najprawdopodobniej są prawidłowi.",
-    "simplified_explanation": "To zabezpieczenie przed botami i złośliwymi żądaniami, podobne do CAPTCHA. Jednak zamiast wykonywać zadanie samodzielnie, przeglądarka otrzymuje obliczenie do wykonania, aby potwierdzić, że jest prawidłowym klientem. Ten mechanizm to <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>. Zadanie trwa kilka sekund i uzyskujesz dostęp do strony. Dziękujemy za cierpliwość.",
-    "jshelter_note": "Uwaga: Anubis wymaga nowoczesnych funkcji JavaScript, które wtyczki typu JShelter mogą blokować. Wyłącz JShelter lub podobne dodatki dla tej domeny.",
-    "version_info": "Ta strona działa na Anubis w wersji",
-    "try_again": "Spróbuj ponownie",
-    "go_home": "Wróć na stronę główną",
-    "contact_webmaster": "lub jeśli uważasz, że nie powinieneś być blokowany, skontaktuj się z administratorem pod adresem",
-    "connection_security": "Poczekaj chwilę, sprawdzamy bezpieczeństwo Twojego połączenia.",
-    "javascript_required": "Niestety, aby przejść tę próbę, musisz włączyć obsługę JavaScript. Jest to konieczne, ponieważ firmy zajmujące się sztuczną inteligencją zmieniły umowę społeczną dotyczącą funkcjonowania hostingu stron internetowych. Rozwiązanie bez obsługi JavaScript jest w trakcie opracowywania.",
-    "benchmark_requires_js": "Uruchomienie narzędzia testowego wymaga włączonego JavaScript.",
-    "difficulty": "Trudność:",
-    "algorithm": "Algorytm:",
-    "compare": "Porównaj:",
-    "time": "Czas",
-    "iters": "Iteracje",
-    "time_a": "Czas A",
-    "iters_a": "Iteracje A",
-    "time_b": "Czas B",
-    "iters_b": "Iteracje B",
-    "static_check_endpoint": "To jedynie punkt kontrolny do użytku przez Twój reverse proxy.",
-    "authorization_required": "Wymagane uwierzytelnienie",
-    "cookies_disabled": "Twoja przeglądarka blokuje ciasteczka. Anubis wymaga ich, aby potwierdzić, że jesteś prawidłowym klientem. Włącz ciasteczka dla tej domeny.",
-    "access_denied": "Brak dostępu: kod błędu",
-    "dronebl_entry": "DroneBL zgłosił wpis",
-    "see_dronebl_lookup": "zobacz",
-    "internal_server_error": "Błąd wewnętrzny serwera: administrator błędnie skonfigurował Anubis. Skontaktuj się z administratorem i poproś o sprawdzenie logów",
-    "invalid_redirect": "Nieprawidłowe przekierowanie",
-    "redirect_not_parseable": "Nie można odczytać adresu przekierowania",
-    "redirect_domain_not_allowed": "Domena przekierowania niedozwolona",
-    "missing_required_forwarded_headers": "Brak wymaganych nagłówków X-Forwarded-*",
-    "failed_to_sign_jwt": "Nie udało się podpisać JWT",
-    "invalid_invocation": "Nieprawidłowe wywołanie MakeChallenge",
-    "client_error_browser": "Błąd klienta: upewnij się, że Twoja przeglądarka jest aktualna i spróbuj ponownie później.",
-    "oh_noes": "O nie!",
-    "benchmarking_anubis": "Testowanie wydajności Anubis!",
-    "you_are_not_a_bot": "Nie jesteś botem!",
-    "making_sure_not_bot": "Sprawdzamy, czy nie jesteś botem!",
-    "celphase": "CELPHASE",
-    "js_web_crypto_error": "Twoja przeglądarka nie obsługuje web.crypto. Czy korzystasz z bezpiecznego połączenia?",
-    "js_web_workers_error": "Twoja przeglądarka nie obsługuje web workers (Anubis ich używa, by nie zawieszać przeglądarki). Czy masz zainstalowaną wtyczkę typu JShelter?",
-    "js_cookies_error": "Twoja przeglądarka nie zapisuje ciasteczek. Anubis używa ich do przechowywania podpisanego tokenu potwierdzającego przejście zabezpieczenia. Włącz zapis ciasteczek dla tej domeny. Nazwy ciasteczek mogą zmieniać się bez zapowiedzi. Nazwy oraz zawartość ciasteczek nie są cześcią publicznego API.",
-    "js_context_not_secure": "Kontekst nie jest bezpieczny!",
-    "js_context_not_secure_msg": "Spróbuj połączyć się przez HTTPS lub poinformuj administratora, by skonfigurował HTTPS. Więcej informacji na <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
-    "js_calculating": "Obliczanie...",
-    "js_missing_feature": "Brakująca funkcja",
-    "js_challenge_error": "Błąd wyzwania!",
-    "js_challenge_error_msg": "Nie udało się ustalić algorytmu sprawdzającego. Możesz spróbować odświeżyć stronę.",
-    "js_calculating_difficulty": "Obliczanie...<br/>Trudność:",
-    "js_speed": "Prędkość:",
-    "js_verification_longer": "Weryfikacja trwa dłużej niż zwykle. Proszę nie odświeżać strony.",
-    "js_success": "Sukces!",
-    "js_done_took": "Gotowe! Zajęło to",
-    "js_iterations": "iteracji",
-    "js_finished_reading": "Skończyłem czytać, kontynuuj →",
-    "js_calculation_error": "Błąd obliczeń!",
-    "js_calculation_error_msg": "Nie udało się obliczyć zadania:"
-}

lib/localization/localization_test.go

@@ -24,7 +24,6 @@ func TestLocalizationService(t *testing.T) {
 		"nb":    "Laster inn...",
 		"nl":    "Laden...",
 		"nn":    "Lastar inn...",
-		"pl":    "Ładowanie...",
 		"pt-BR": "Carregando...",
 		"tr":    "Yükleniyor...",
 		"ru":    "Загрузка...",

lib/policy/policy.go

@@ -66,29 +66,6 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 	result := newParsedConfig(c)
 	result.DefaultDifficulty = defaultDifficulty
 
-	if c.Logging.Level != nil {
-		logLevel = c.Logging.Level.String()
-	}
-
-	switch c.Logging.Sink {
-	case config.LogSinkStdio:
-		result.Logger = internal.InitSlog(logLevel, os.Stderr)
-	case config.LogSinkFile:
-		out := &logrotate.Logger{
-			Filename:           c.Logging.Parameters.Filename,
-			FilenameTimeFormat: time.RFC3339,
-			MaxBytes:           c.Logging.Parameters.MaxBytes,
-			MaxAge:             c.Logging.Parameters.MaxAge,
-			MaxBackups:         c.Logging.Parameters.MaxBackups,
-			LocalTime:          c.Logging.Parameters.UseLocalTime,
-			Compress:           c.Logging.Parameters.Compress,
-		}
-
-		result.Logger = internal.InitSlog(logLevel, out)
-	}
-
-	lg := result.Logger.With("at", "config-validate")
-
 	for _, b := range c.Bots {
 		if berr := b.Valid(); berr != nil {
 			validationErrs = append(validationErrs, berr)
@@ -149,7 +126,7 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 
 		if b.ASNs != nil {
 			if !hasThothClient {
-				lg.Warn("You have specified a Thoth specific check but you have no Thoth client configured. Please read https://anubis.techaro.lol/docs/admin/thoth for more information", "check", "asn", "settings", b.ASNs)
+				slog.Warn("You have specified a Thoth specific check but you have no Thoth client configured. Please read https://anubis.techaro.lol/docs/admin/thoth for more information", "check", "asn", "settings", b.ASNs)
 				continue
 			}
 
@@ -158,7 +135,7 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 
 		if b.GeoIP != nil {
 			if !hasThothClient {
-				lg.Warn("You have specified a Thoth specific check but you have no Thoth client configured. Please read https://anubis.techaro.lol/docs/admin/thoth for more information", "check", "geoip", "settings", b.GeoIP)
+				slog.Warn("You have specified a Thoth specific check but you have no Thoth client configured. Please read https://anubis.techaro.lol/docs/admin/thoth for more information", "check", "geoip", "settings", b.GeoIP)
 				continue
 			}
 
@@ -168,6 +145,7 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 		if b.Challenge == nil {
 			parsedBot.Challenge = &config.ChallengeRules{
 				Difficulty: defaultDifficulty,
+				ReportAs:   defaultDifficulty,
 				Algorithm:  "fast",
 			}
 		} else {
@@ -177,7 +155,7 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 			}
 
 			if parsedBot.Challenge.Algorithm == "slow" {
-				lg.Warn("use of deprecated algorithm \"slow\" detected, please update this to \"fast\" when possible", "name", parsedBot.Name)
+				slog.Warn("use of deprecated algorithm \"slow\" detected, please update this to \"fast\" when possible", "name", parsedBot.Name)
 			}
 		}
 
@@ -194,20 +172,17 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 
 	for _, t := range c.Thresholds {
 		if t.Challenge != nil && t.Challenge.Algorithm == "slow" {
-			lg.Warn("use of deprecated algorithm \"slow\" detected, please update this to \"fast\" when possible", "name", t.Name)
-		}
-
-		if t.Challenge != nil && t.Challenge.ReportAs != 0 {
-			lg.Warn("use of deprecated report_as setting detected, please remove this from your policy file when possible", "name", t.Name)
+			slog.Warn("use of deprecated algorithm \"slow\" detected, please update this to \"fast\" when possible", "name", t.Name)
 		}
 
 		if t.Name == "legacy-anubis-behaviour" && t.Expression.String() == "true" {
 			if !warnedAboutThresholds.Load() {
-				lg.Warn("configuration file does not contain thresholds, see docs for details on how to upgrade", "fname", fname, "docs_url", "https://anubis.techaro.lol/docs/admin/configuration/thresholds/")
+				slog.Warn("configuration file does not contain thresholds, see docs for details on how to upgrade", "fname", fname, "docs_url", "https://anubis.techaro.lol/docs/admin/configuration/thresholds/")
 				warnedAboutThresholds.Store(true)
 			}
 
 			t.Challenge.Difficulty = defaultDifficulty
+			t.Challenge.ReportAs = defaultDifficulty
 		}
 
 		threshold, err := ParsedThresholdFromConfig(t)
@@ -232,6 +207,27 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 		validationErrs = append(validationErrs, config.ErrUnknownStoreBackend)
 	}
 
+	if c.Logging.Level != nil {
+		logLevel = c.Logging.Level.String()
+	}
+
+	switch c.Logging.Sink {
+	case config.LogSinkStdio:
+		result.Logger = internal.InitSlog(logLevel, os.Stderr)
+	case config.LogSinkFile:
+		out := &logrotate.Logger{
+			Filename:           c.Logging.Parameters.Filename,
+			FilenameTimeFormat: time.RFC3339,
+			MaxBytes:           c.Logging.Parameters.MaxBytes,
+			MaxAge:             c.Logging.Parameters.MaxAge,
+			MaxBackups:         c.Logging.Parameters.MaxBackups,
+			LocalTime:          c.Logging.Parameters.UseLocalTime,
+			Compress:           c.Logging.Parameters.Compress,
+		}
+
+		result.Logger = internal.InitSlog(logLevel, out)
+	}
+
 	if len(validationErrs) > 0 {
 		return nil, fmt.Errorf("errors validating policy config JSON %s: %w", fname, errors.Join(validationErrs...))
 	}

lib/testdata/invalid-challenge-method.yaml

@@ -4,4 +4,5 @@ bots:
     action: CHALLENGE
     challenge:
       difficulty: 16
+      report_as: 4
       algorithm: hunter2 # invalid algorithm

lib/testdata/test_config.yaml

@@ -42,3 +42,4 @@ thresholds:
     challenge:
       algorithm: fast
       difficulty: 1
+      report_as: 1

lib/testdata/zero_difficulty.yaml

@@ -42,3 +42,4 @@ thresholds:
     challenge:
       algorithm: fast
       difficulty: 0
+      report_as: 0

test/palemoon/anubis/anubis.yaml

@@ -4,6 +4,7 @@ bots:
     action: CHALLENGE
     challenge:
       difficulty: 2
+      report_as: 2
       algorithm: fast
 
 status_codes:

web/js/main.ts

@@ -155,7 +155,7 @@ const t = (key) => translations[`js_${key}`] || translations[key] || key;
     return;
   }
 
-  status.innerHTML = `${t('calculating_difficulty')} ${rules.difficulty}, `;
+  status.innerHTML = `${t('calculating_difficulty')} ${rules.report_as}, `;
   progress.style.display = "inline-block";
 
   // the whole text, including "Speed:", as a single node, because some browsers
@@ -166,7 +166,7 @@ const t = (key) => translations[`js_${key}`] || translations[key] || key;
 
   let lastSpeedUpdate = 0;
   let showingApology = false;
-  const likelihood = Math.pow(16, -rules.difficulty);
+  const likelihood = Math.pow(16, -rules.report_as);
 
   try {
     const t0 = Date.now();