[hCaptchaReact] Validate client action not safe to use

Back to Forums

Steven Decock

Question

Reactive

Forge

Application Type

Reactive

Hi Carlos,

I've looked at the hCaptchaReact component and I believe that the way you do the validation is not secure.

Validation of the token should be done on the server, not the client. There's two reasons for this:

If the validation is done on the client then it can easily be bypassed by messing around with the javascript code in the browser. Client actions are inherently not to be trusted.
By doing validation on the client side you need to have the hCaptcha secret on the client side. As the name already implies the secret should remain secret and should not be visible on the client.

As a captcha is a security measurement it is important that it is implemented securely.

My suggestion would be to change the ValidateResponse client action into a Server Action and change the demo code to use the server side validation of the token.

Best regards,

Steven

14 Nov 2022

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.

See the full guidelines