: Should captcha be used on every vulnerable page, or just on initial page load to deter robots? I do not know too much about how hackers compromise websites but am careful about sanitizing all

@Gloria169

It depends whether your potentially vulnerable pages are indexable by search engines and accessible directly.

If they are and they don't redirect user to your initial Captcha check, Then the answer is yes, you would need to implement Captcha or redirect to your "initial" Captcha check on every potentially vulnerable page if user has not already passed the challenge.

But I urge you to consider UX aspect of it all. People are generally annoyed by captchas so my advice is to heed your own words and focus on properly sanitizing user input.

(Re)Captcha is not a magic solution. If someone wants to beat your captchas he will do so, either by buying captcha solving service or by other methods which have been covered ad nauseam on this network.

General rule of thumb is that best solutions are ones that users don't even notice, but which hinder the bots.

Focus on honeypots and similar solutions that don't interrupt user's workflow.

Example of honeypot would be a hidden input field which ask for some common input value, for example zip code or email, something that you don't actually require from your users, but which bots would automatically populate and you could do a check and reject cases where such fields are not empty.

Just keep in mind that any kind of Captcha is not replacement for proper validation/sanitizing/data type checks and other best practices. Also there are alternative solutions to consider, one example being humanpresence.net (Which I do not officially endorse, just mentioning it for the sake of completeness)

Hope this helps.

Vote Up Vote Down