Security Recommendations

These recommendations apply only to custom server implementations using the open-source integration.

Note

ALTCHA Sentinel already implements these security measures and no additional implementation is needed on your backend.

Replay Attacks

To defend against replay attacks, where a client resubmits a previously valid solution, your server must ensure that each challenge is single-use.

Maintain a registry (e.g., an in-memory store or database) of solved challenges and reject any attempt to reuse a challenge that has already been accepted.

Challenge Expiration

Challenge expiration prevents challenges from being reused after a certain period. This adds a layer of security by limiting the window of opportunity for an attacker.

A simple and effective approach is to embed a server-side timestamp into the challenge’s salt when generating it.

Use the ?expires=<unix_ts> parameter in the salt, as described in the salt parameters section. The widget will automatically detect this parameter. Your server must then verify that the current time has not passed the expires timestamp during challenge verification.

Rate Limiting

Implement rate limiting to reduce the risk of brute-force or denial-of-service (DoS) attacks. This ensures that malicious clients cannot overwhelm your system with repeated requests.