Captcha Flow

Captcha Flow

Provider strategy

• First choice: mCaptcha
• Fallback: mosparo
• Integration must stay behind a provider interface so the site can switch without rewriting form controllers

Forms requiring captcha

• signup or enrollment helper forms
• contact/help form
• forgot password
• abuse report
• listing create
• listing edit

Server-side rules

• Verify captcha server-side only
• Never trust a hidden field or client-only check
• Bind validation result to the current request and IP metadata
• Rate-limit high-risk actions in addition to captcha

Abstraction recommendation

Create a service contract with methods like:

• renderPayload()
• verify()
• providerName()

This keeps controllers clean and makes staged rollout safer.