Self Hosted Captcha

Mohit Kanwar | Jan 1, 2024 min read

Objective

To design and implement a self-hosted CAPTCHA service that is secure, user-friendly, scalable, and compliant with relevant regulations, ensuring robust protection against automated bots while providing a seamless experience for legitimate users.

Requirements and Scope for a Self-Hosted CAPTCHA Service

Functional Requirements
Requirement IDDescription
FR-001Support text-based CAPTCHA where users identify distorted text or solve a simple question.
FR-002Support image-based CAPTCHA where users select specific objects or patterns in images (e.g., “Select all the traffic lights”).
FR-003Provide an audio CAPTCHA alternative for visually impaired users.
FR-004Implement logical CAPTCHA with simple logical or arithmetic puzzles (e.g., “What is 5 + 3?”).
User Interaction
Requirement IDDescription
FR-005Provide options for audio CAPTCHAs and high-contrast visual modes to ensure accessibility.
FR-006Support localization for different languages and regions.
FR-007Ensure CAPTCHAs are responsive and easy to interact with on mobile devices.
FR-008Design CAPTCHAs to minimize disruption to the user experience, such as implementing invisible or behavior-based CAPTCHAs for legitimate users.
Security Features
Requirement IDDescription
FR-009Randomize CAPTCHA challenges to prevent replay attacks and ensure unpredictability.
FR-010Include mechanisms to identify and block bots based on suspicious activity.
FR-011Bind CAPTCHA challenges to specific user sessions to prevent reuse.
FR-012Implement thresholds to limit the frequency of CAPTCHA requests from a single IP address.
Integration
Requirement IDDescription
FR-013Provide RESTful APIs for easy integration with various platforms and applications.
FR-014Offer a lightweight JavaScript library for embedding CAPTCHAs on websites.
FR-015Allow customization of CAPTCHA appearance and difficulty based on application requirements.
Management and Monitoring
Requirement IDDescription
FR-016Provide an admin dashboard to manage settings, view analytics, and monitor CAPTCHA usage.
FR-017Maintain logs of CAPTCHA activity for troubleshooting and security audits.
Non-Functional Requirements
Requirement IDDescription
NFR-001Ensure CAPTCHA challenges load within 200ms to minimize user wait times.
NFR-002Design the service to handle high traffic volumes without degradation in performance.

Context

Context Diagram for Captcha solution

The captcha system is designed to differentiate the users between the humans and the automated robots.

Robot : A robot is an automated system that mimicks the behaviour of a human. It has not so good intentions. There are a few assumptions about this robot :

  1. It is an automated script e.g. selenium or other tool
  2. It requires specific types of plugins
  3. It tries to fill up the form using some acquired information
  4. It tries to fill up as many details as possible
  5. It doesn’t “See” the view the way humans do, instead views it as the html code.
  6. The mouse movement and typing speed of a robot is generally consistent

User : A human user of the application, who has good intentions.

  1. A user is prone to human errors.
  2. A user is less consistent in behaviour.
  3. A user is generally slower than a bot.
  4. A user views the application from eyes or screen-readers.

Admin : A human with advanced authorization to manage and govern how the captcha functionality will behave.

Client Applications : Client Applications or User Applications are the human facing applications that are prone to bot attacks. These services contain public information and we want to stop the navigation if a bot tries to access this application.

Admin Application : This is a protected application, not accessible to common public. The admin users landup on this portal to manage the configurations for captcha.

Captcha Service : This is the main microservice to manage the captcha behaviour.

Other Services : Other microservices that may want to utilize captcha creation and validation.

Admin app Client Container

Admin Client application Container

User app client application

User Client application Container

Captcha Microservice

Captcha Microservice Container
comments powered by Disqus