Implementing captcha in a stateless REST web-service environment
-
23-08-2019 - |
Question
The project I'm working on is a piece of static HTML with some inline JavaScript that will call a REST web-service, which I'm creating myself using .NET 3.5 WCF.
The JavaScript will grab some details from the user including an email address, then send those details off to the web-service through Ajax. The web-service will then store the details in a database.
Since this is a web-service, I'm pretty sure it would be stateless.
However, the requirement for the project is that the front-end JavaScript should also do a captcha, to prevent spamming.
The site itself will only be up for a few weeks (6 weeks max), and I don't think that's enough time for any would-be attackers to get serious about bringing the site down.
For this reason, I've considered making an entirely client-side captcha, since traditional captcha requires a stateful sessions.
However I'm curious to know what security measures would normally be implemented in a stateless environment, or if anyone thinks I'm wrong about client-side captcha validation being sufficient.
Solution
You may not even need a CAPTCHA. Many spam clients are too dumb to execute things like Javascript. You could try just setting a hidden input to some value in Javascript.
If your site is only up for a few weeks then I doubt anyone would build a client that would get around that.
That said it would screw users without Javascript, so I'd recommend putting a message on screen which the Javascript removes. That would have the same input field but as a check box with a label which explains they need to check it not to be ignored.