Friendly Captcha - Is a verification request necessary?

Question

I am integrating Friendly Captcha for the first time and I follow the official tutorial: https://docs.friendlycaptcha.com/#/installation

After step two my web application correctly solves the puzzle and disables "I am human.":

Now, I am wondering if I even need the third step "Verifying the CAPTCHA solution on the server". From the tutorial it is not clear why or if I even need this step and how I can implement it. Do I need to call the verification endpoint after solving the puzzle?

Does anyone have more knowledge conserning calling the verification endpoint of Friendly Captcha?

Thanks!

Answer 1

The whole point of the server-side verification is that, if you don't do this, nothing is stopping me from writing a two-line script that just spams your server endpoint with requests.

What I mean is: let's say you have an endpoint https://myserver.tld/give_me_five_euros .

on your frontend side you have a form where you have an email field and the captcha verification. i'm assuming you will use the captcha to enable the submit button or something similar.

okay, now for a bot that navigates to your side and tries to enter [email protected] and hit "send" that might be a small road block. but normally a bot would rather parse the <form> with the fields in it, and try to post the data itself.

i.e. if your backend does not check if some human (or a sophisticated figure 01) actually clicked the captcha, then any script kiddy will just do:

fetch(
  "https://myserver.tld/give_me_five_euros",
  {
    method: "POST",
    body: {email:"[email protected]"},
  }
)

and the means of checking wether the captcha has been clicked on the backend is exactly this: take the response from the captcha, send it to the backend, verify it. if it's not correct, somebody did not click the captcha but simply knows how to write a small script.