CAPTCHA or enough is enough

By | August 6, 2019

Got sick of multiple silly comments and decided to rid of them. Yesterday I added “Simple Google reCAPTCHA” plugin, so currently comment posting comment are protected by Google reCAPTCHA, Contact page is not secure yet. but I will implement some protection there also. I investigated with Wireshark how HTTP POST request of adding new comment is looks like now:

POST /blog/wp-comments-post.php HTTP/1.1
Connection: keep-alive
Content-Length: 513
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9


Now the POST request data contains additional g-recaptcha-response token which should be verified on the server side.

Leave a Reply

Your email address will not be published. Required fields are marked *