Every school IT administrator has the same job: keep students focused during class and off gaming sites the rest of the time. The tools they use to do this — network filters — are sophisticated, frequently updated, and widely deployed. So when students discover that LemonArcade works where everything else is blocked, the obvious question is: why?
The answer isn't a trick, a loophole, or any form of circumvention. It's the result of a series of deliberate technical decisions made at every layer of how the site was built. This article goes through each one in detail.
How school network filters actually work
Before explaining what LemonArcade does, it helps to understand what it's up against. Most school networks use one or more of the following filter systems:
- Squid — an open-source HTTP proxy widely used in educational institutions, especially in Europe. It intercepts all web traffic and can apply filtering rules at the URL, domain, and content-type level.
- E2Guardian (formerly DansGuardian) — a content filter that works alongside Squid. It can block pages based on domain categories, keyword analysis, MIME type, and even page content scoring.
- Fortinet / FortiGate — a commercial all-in-one security platform used heavily in American and British schools. Its web filtering module maintains its own categorised domain database, updated in near-real time.
- Cisco Umbrella (formerly OpenDNS) — a DNS-layer filter. Before your browser even makes an HTTP request, the DNS lookup gets intercepted and returned with a block page if the domain is categorised as gaming, entertainment, or another restricted category.
These systems block sites in three main ways: by domain category (is this site listed as a gaming site?), by technical signature (does this page load plugins or patterns associated with games?), and by bandwidth consumption (is this connection using too much data?). LemonArcade was designed to clear all three bars cleanly.
HTML5 exclusively — no plugins, no recognisable signatures
The first and most fundamental technical decision: every single game on LemonArcade runs in pure HTML5. No Flash. No Unity WebGL loader. No Java applets. No browser extensions required.
This matters for a specific reason. Network filters like E2Guardian and Fortinet have long maintained blocklists for plugin-based gaming technologies. Flash was the original target. Unity WebGL became the next wave. These technologies have distinct signatures — specific file extensions (.unity3d, .swf), specific MIME types, specific JavaScript patterns — that content filters can detect and block at the packet level without needing to categorise the domain at all.
HTML5 games don't have this signature problem. From a network filter's perspective, the page that loads Slope looks identical to a page that loads a Google Docs spreadsheet. Both are HTML documents loading JavaScript and CSS. There is no technical hook for a generic content filter to latch onto.
This isn't an accident or a workaround — it's simply what modern web development looks like. But the effect on filterability is real: an HTML5 game site cannot be blocked by technology signature alone. It has to be identified by domain, and that brings us to the next point.
Game file weight — a strict selection criterion
Not every HTML5 game makes it onto LemonArcade. One of the primary selection filters is file weight. The threshold is strict: a game must load in under 5 seconds on a 10 Mbps shared connection. In practice, this means total page weight under roughly 6 MB.
Why does this matter for school networks specifically? Because school internet connections are shared across hundreds of users simultaneously. A 100 Mbps line serving 400 students gives each user an effective bandwidth of around 250 Kbps — barely enough to stream audio. Any game that requires downloading dozens of megabytes of 3D assets will time out or hang indefinitely on this kind of connection, even if it's technically not blocked.
LemonArcade's catalogue reflects this constraint directly:
- Slope — approximately 800 KB total. Loads in under 2 seconds on any connection.
- Cookie Clicker — approximately 500 KB. Near-instant load on any network.
- Stickman Parkour — approximately 1.2 MB. Loads in 3–4 seconds on a throttled connection.
- Chess — approximately 300 KB. The lightest game on the portal.
Games that would have been great additions but were rejected on weight grounds include several Unity WebGL titles that clock in at 40–80 MB. They simply won't work reliably in a school environment, so they're not on the site.
This criterion also explains why LemonArcade doesn't host certain extremely popular games that are technically browser-compatible. If the file weight doesn't pass the threshold, the game doesn't make the cut — regardless of how well-known it is.
The domain — not yet categorised in filter databases
Domain categorisation is the mechanism most school filters rely on for broad-strokes blocking. Fortinet, Cisco Umbrella, Barracuda, and Lightspeed Systems all maintain constantly updated databases that assign categories to millions of domains. If a domain is categorised as "Games" or "Online Gaming," it gets blocked automatically on any network that restricts those categories — no manual action by a school admin required.
Sites that have been around for years are almost universally categorised. Miniclip. Armor Games. Coolmath Games. Newgrounds. Kongregate. These domains have been in filter databases since the mid-2000s. Their categorisation is permanent and multi-vendor — every major filter system has them tagged independently.
LemonArcade runs on a new domain — lemonarcade.com — that hadn't accumulated this categorisation history when the site launched. Domain databases don't add new sites automatically; they require either user reports, automated crawling that triggers category scoring, or vendor review. A new, clean domain that doesn't display the patterns filter crawlers associate with gaming sites (plugin usage, heavy assets, specific page structures) categorises slowly.
This is a time-limited advantage, and it's worth being honest about that. Over time, lemonarcade.com will appear in more filter databases. Some networks may already have it categorised. But as of the site's launch and for a meaningful window after, the domain hadn't been flagged across the major commercial filter platforms — which is why students on those networks can access it.
Zero external resources — everything hosted in-house
This is arguably the most technically interesting design decision on the list. A typical gaming website loads resources from a large number of external domains: analytics scripts, advertising networks, third-party CDNs for game assets, social sharing widgets, font services, and so on. A moderately complex gaming portal might make HTTP requests to 15 or 20 distinct domains just to render the homepage.
This creates a specific failure mode on filtered networks. Even if the main domain isn't blocked, any of those external resource domains might be. If a game's JavaScript engine is hosted on a CDN that's categorised as a gaming asset provider, the filter blocks that CDN request — and the game simply doesn't load, even though lemonarcade.com itself is technically accessible.
LemonArcade eliminates this failure mode by hosting everything on its own infrastructure. Game files, assets, scripts, fonts, images — all served from the same origin. The browser makes one connection to lemonarcade.com and gets everything it needs. There are no external domains that can independently fail or get blocked.
The only exception to this rule is multiplayer games. Shell Shockers and Smash Karts are hosted by their original developers — Blue Wizard Digital and Tall Team respectively — and their game servers sit on different domains. Those game server connections can be blocked independently of lemonarcade.com. If multiplayer games don't load on your school network, this is the most likely reason: the game server domain is accessible from the general internet but explicitly blocked by your school's filter.
No WebRTC
WebRTC (Web Real-Time Communication) is a browser technology that enables peer-to-peer connections — direct communication between two browsers without going through a central server. It's what powers video calls in Google Meet, voice chat in some online games, and certain file-sharing applications.
School network filters are increasingly configured to block WebRTC traffic. The reason: WebRTC can be used to tunnel data in ways that bypass standard proxy inspection, making it a favourite for circumvention tools. As a result, many FortiGate and Cisco Umbrella deployments now block WebRTC at the network level.
LemonArcade doesn't use WebRTC anywhere on the site. Multiplayer functionality — where it exists — is implemented using standard WebSockets. WebSockets use the same port as HTTPS (443) and look identical to regular encrypted web traffic to a network filter. They pass through school proxies without issue in the vast majority of cases.
HTTPS everywhere — transparent, inspectable traffic
Every page and resource on LemonArcade is served over HTTPS. This is standard practice for any modern website, but it's worth explaining what it means in the context of school networks specifically.
Many school filters perform SSL inspection — they act as a "man in the middle" for HTTPS connections, decrypting traffic to inspect it before re-encrypting it toward the client. This is done using a school-installed root certificate on managed devices (Chromebooks, school-issued laptops). It's a legitimate network management technique, not an attack.
LemonArcade's HTTPS is plain, standard TLS. There's no certificate pinning, no obfuscation layer, no attempt to make the connection harder to inspect. SSL inspection by a school network will see exactly what it expects to see: a normal web page serving HTML, CSS, JavaScript, and image files. Nothing that triggers anomaly detection. Nothing that pattern-matches to known circumvention tools.
This transparency is intentional. LemonArcade isn't trying to hide what it is — it genuinely is a simple web page. The fact that it happens to contain games doesn't change the technical signature of the traffic.
What LemonArcade doesn't do
Understanding why LemonArcade gets through filters is partly about understanding what it avoids. Several common approaches to "unblocking" websites are conspicuously absent from LemonArcade's architecture.
No proxy
LemonArcade is not a web proxy. It doesn't route your traffic through an intermediary server to disguise its origin. Proxy sites are among the first things school networks block — they have their own category in every major filter database. A gaming site built as a proxy would be blocked almost immediately by any updated filter.
No VPN
LemonArcade doesn't offer or require a VPN connection. VPN traffic is detectable at the protocol level (OpenVPN, WireGuard, and similar protocols have recognisable handshake patterns), and most school networks either block VPN protocols entirely or flag and log them for administrator review.
No DNS over HTTPS
Some circumvention tools use DNS over HTTPS (DoH) to bypass DNS-layer filters like Cisco Umbrella — by encrypting DNS queries and routing them to a public resolver like Cloudflare 1.1.1.1, they sidestep the school's DNS filter entirely. LemonArcade doesn't implement this. DNS resolution for lemonarcade.com goes through standard DNS, fully visible to the school's DNS filter. If Cisco Umbrella has lemonarcade.com categorised on a specific network, it will be blocked at the DNS level just like any other site in that category.
The absence of these techniques is the point. LemonArcade works transparently, not covertly. It's a website that behaves like a website.
What can still block LemonArcade
Being clear about limitations is as important as explaining what works. There are three scenarios where LemonArcade will not be accessible on a school network, regardless of the technical decisions described above.
Whitelist-only networks
Some schools — particularly primary schools and highly restrictive institutions — operate on a whitelist-only model. Instead of blocking known-bad domains, they block everything except an explicit list of approved domains. On these networks, no new website will ever be accessible unless an administrator adds it to the whitelist. LemonArcade, like every other site not on that list, will be blocked by default.
Manual administrator blocks
Any network administrator can manually add lemonarcade.com to their filter's blocklist at any time. If a school's IT admin notices students playing games during class and identifies the domain, a block takes minutes to implement. There's no technical defence against deliberate manual blocking — and LemonArcade makes no attempt to evade it.
Multiplayer game server blocks
As noted in the external resources section, multiplayer games like Shell Shockers and Smash Karts connect to game servers on different domains. These servers can be — and in some networks are — blocked independently. The LemonArcade page itself might load fine, but the game won't connect to its server. In these cases, single-player games are the reliable option.
Technical summary
For readers who want the concise version, here's what makes LemonArcade work on most school networks:
- Pure HTML5 — no plugin signatures for content filters to detect (no Flash, no Unity WebGL).
- Lightweight games — all games load in under 5 seconds on a 10 Mbps shared connection; bandwidth-based throttling doesn't apply.
- New, uncategorised domain — lemonarcade.com had not been added to the major filter vendor databases (Fortinet, Cisco Umbrella, Barracuda, Lightspeed) at the time of launch.
- Zero external resources — all assets served from the same origin; no third-party CDN or ad network requests that could fail independently.
- No WebRTC — multiplayer uses standard WebSockets on port 443, which pass through proxies without triggering WebRTC blocks.
- Standard HTTPS — transparent TLS, fully inspectable by SSL inspection proxies, no obfuscation.
- No proxy, no VPN, no DoH — the site makes no attempt to circumvent filters; it simply doesn't trigger them.
If your school network blocks lemonarcade.com directly, LemonArcade will not be accessible through the school connection — the same as any explicitly blocked site. In that case, using mobile data is the straightforward alternative. The site loads quickly on 4G and 5G connections, and all games work identically on mobile browsers.