minimum length validation for invalid_response?(resp) method in Recaptcha module #461
Comments
|
yeah that sounds reasonable, |
|
@grosser , you are correct. The spammers are not targeting the recaptcha specifically. They are trying to exploit XSS and CSRF attacks on the form fields. But it is increasing the recaptcha cost. Also I |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Spammers can pass random value for the token param (ex: g-recaptcha-response) which can increase the API validation call to recaptcha, consequently incurring more cost.
Most of the Spam attacks we observed attacher sending 1-10 length chars.
It is good to have minimum length 100, validation check to avoid unnecessary API calls to recaptcha.
The text was updated successfully, but these errors were encountered: