0

I am integrating Friendly Captcha for the first time and I follow the official tutorial: https://docs.friendlycaptcha.com/#/installation

After step two my web application correctly solves the puzzle and disables "I am human.": enter image description here enter image description here

Now, I am wondering if I even need the third step "Verifying the CAPTCHA solution on the server". From the tutorial it is not clear why or if I even need this step and how I can implement it. Do I need to call the verification endpoint after solving the puzzle?

Does anyone have more knowledge conserning calling the verification endpoint of Friendly Captcha?

Thanks!

Michelle
  • 69
  • 1
  • 8
  • 1
    Of course you need to verify it on the server side, otherwise the whole thing makes zero sense to begin with. If you _don't_ verify it, then I could make fake requests to your site from anywhere, and your site would treat it the same, as if an actual user had actually filled out your form. And that is what you wanted to prevent by using a captcha in the first place, is it not? – CBroe Jun 07 '23 at 12:29
  • Without the server verification part either a) the user typed in the captcha correctly, or b) they modified/disabled the captcha code running in their browser. You need the server verification part to be sure that only “a” passes the test. – James Jun 07 '23 at 12:33
  • Thank you for your comments. Can I call this verification endpoint in a callback function after the solution is ready? – Michelle Jun 07 '23 at 12:36
  • _"Can I call this verification endpoint in a callback function after the solution is ready?"_ - I can't tell what you actually mean here. – CBroe Jun 07 '23 at 12:42
  • Sorry. When using FriendlyCaptcha you can configure a callback function, which is called after the computer has calculated a solution from the puzzle. I was wondering if this is a good place to do the verification. Because from the tutorial it is unclear to me when exacly I should do the verification. – Michelle Jun 07 '23 at 12:47
  • The point of verification is knowing that someone completed the captcha. If you don't care if they did or not then you don't have to verify. In other words if you get mostly bot spam traffic and you want to filter it before it goes into your db or your email you would verify it before that happens – pguardiario Jun 09 '23 at 05:03
  • @pguardiario thanks for the explanation, that helped me! you can put it as answer – Michelle Jun 12 '23 at 06:48

1 Answers1

1

The point of verification is knowing that someone completed the captcha. If you don't care if they did or not then you don't have to verify. In other words if you get mostly bot spam traffic and you want to filter it before it goes into your db or your email you would verify it before that happens

pguardiario
  • 53,827
  • 19
  • 119
  • 159