Security Recommendations

Replay Attacks

To defend against replay attacks—where a client resubmits a previously valid solution—your server must ensure that each challenge is single-use.

Maintain a registry (e.g., in-memory store or database) of solved challenges, and reject any attempt to reuse a challenge that has already been accepted.

Use a short challenge expiration to limit how long a challenge remains valid. In combination with expiration, your registry can automatically discard entries after the same duration.

As a general guideline, set the expiration time between 20 minutes and 1 hour.

Replay Attacks with Server Signatures

When using Sentinel, your backend receives a server signature instead of a proof-of-work solution. This signature must be verified cryptographically.

To prevent reuse, maintain a registry of processed payloads. Use the unique id field from the payload, along with the signed verificationData object, as the key in this registry.

By default, Sentinel sets a challenge expiration of 20 minutes, which can be adjusted using the expires parameter in the Security Group settings. Your registry should retain entries for at least the same duration as the configured expiration time.

Alternatively, you can use the POST /v1/verify/signature endpoint, which includes built-in protection against replay attacks.

Challenge Expiration

Challenge expiration (via the expiresAt parameter) ensures that challenges cannot be reused after a defined period. This reduces the window of opportunity for attackers.

Rate Limiting

Implement rate limiting to mitigate brute-force and denial-of-service (DoS) attacks. This helps prevent malicious clients from overwhelming your system with excessive requests.