4
20
Fork
You've already forked server
8

Feature Request: Altcha integration #797

Open
opened 2025年09月18日 11:30:54 +02:00 by Karthikeyan · 7 comments

I've used Liberaforms for a while, I noticed LiberaForms doesn’t have any verification when user submits a form. This leads bots to submit forms without any check. I suggest to integrate Altcha for Liberaforms, so that before the user submits the form, they have to pass the captcha. This will help to prevent spam/bot submissions and make the forms more secure.

"When integrating the widget into website forms, consider that users without JavaScript enabled in their browsers will be unable to utilize or submit forms protected by the widget. Ensure your audience is aware of this requirement for seamless form submission."

Related to: #178

I've used Liberaforms for a while, I noticed LiberaForms doesn’t have any verification when user submits a form. This leads bots to submit forms without any check. I suggest to integrate Altcha for Liberaforms, so that before the user submits the form, they have to pass the captcha. This will help to prevent spam/bot submissions and make the forms more secure. "When integrating the widget into website forms, consider that users without JavaScript enabled in their browsers will be unable to utilize or submit forms protected by the widget. Ensure your audience is aware of this requirement for seamless form submission." Related to: https://codeberg.org/LiberaForms/server/issues/178

Sounds like a possibly good solution to prevent bots from opening new accounts...
Or maybe the honeypots code (e3a55edc88) already available on user forms can be enabled by default on registration form?

I manage the rather new Liberaforms instance at address https://formulaire.facil.services/ and unfortunately only a few weeks after turning on public registration I was forced to turn it off after a massive wave of fake accounts/forms hit our server.

Sounds like a possibly good solution to prevent bots from opening new accounts... Or maybe the honeypots code ([e3a55edc88](https://codeberg.org/LiberaForms/server/pulls/820/commits/e3a55edc889cb5bae2fc243c5762e87e92bf29fd)) already available on user forms can be enabled by default on registration form? I manage the rather new Liberaforms instance at address https://formulaire.facil.services/ and unfortunately only a few weeks after turning on public registration I was forced to turn it off after a massive wave of fake accounts/forms hit our server.

Hello,

unfortunately only a few weeks after turning on public registration I was forced to turn it off after a massive wave of fake accounts/forms hit our server.

Sorry to hear that.

Or maybe the honeypots code (e3a55edc88) already available on user forms can be enabled by default on registration form?

Definitely will do that. Thanks for the idea.

By the way, we've been working on backend rate-limiting. Mainly to handle public form endpoints, but also user landing pages like User registration.

https://codeberg.org/LiberaForms/server/src/branch/develop/docs/limiter.md

Hello, > unfortunately only a few weeks after turning on public registration I was forced to turn it off after a massive wave of fake accounts/forms hit our server. Sorry to hear that. > Or maybe the honeypots code (e3a55edc88) already available on user forms can be enabled by default on registration form? Definitely will do that. Thanks for the idea. By the way, we've been working on backend rate-limiting. Mainly to handle public form endpoints, but also user landing pages like User registration. https://codeberg.org/LiberaForms/server/src/branch/develop/docs/limiter.md

Another option might be Cap.js which is a "Self-hosted CAPTCHA for the modern web based on proof-of-work."

Another option might be [Cap.js](https://trycap.dev/) which is a "Self-hosted CAPTCHA for the modern web based on proof-of-work."

@millette wrote in #797 (comment):

Another option might be Cap.js which is a "Self-hosted CAPTCHA for the modern web based on proof-of-work."

Cool! I will need to take a closer look though and I'm a bit overloaded at the moment. But yes, it would be good to include. Thanks!

@millette wrote in https://codeberg.org/LiberaForms/server/issues/797#issuecomment-15210675: > Another option might be [Cap.js](https://trycap.dev/) which is a "Self-hosted CAPTCHA for the modern web based on proof-of-work." Cool! I will need to take a closer look though and I'm a bit overloaded at the moment. But yes, it would be good to include. Thanks!

Merged user registration honeypots. Expect it in the next release.

I was forced to turn it off after a massive wave of fake accounts/forms hit our server.

@mathieugp I'd be very interested to know if rate-limiter plus honeypots make a difference for you.

Merged user registration honeypots. Expect it in the next release. > I was forced to turn it off after a massive wave of fake accounts/forms hit our server. @mathieugp I'd be very interested to know if rate-limiter plus honeypots make a difference for you.

@buttle I will for sure try out the new code + rate limiting and let you know! Thanks! 😄

@buttle I will for sure try out the new code + rate limiting and let you know! Thanks! 😄

@buttle I updated https://formulaire.facil.services to v4.9.2, turned on rate limiting and re-enabled public registration. The experiment has begun... 😸

@buttle I updated https://formulaire.facil.services to v4.9.2, turned on rate limiting and re-enabled public registration. The experiment has begun... 😸
Sign in to join this conversation.
No Branch/Tag specified
main
feat/form-quiz
chore/L10n-inline-help
chore/L10n
chore/L10n-form-templates
chore/L10n-public-form
develop
RC
feature/pyproject
chore/L10n-formbuilder
fix/image-public-urls-json
fix/email-multipart
feat/user-honeypots
feat/auto-expire-purge-forms
feat/ldap-authentik
feat/middleware-limiter
feat/auto-expire
feat/form-name-in-title-and-opengraph
tests/fake-email-server
feat/page-break-form-field
feat/bulk-file-download
feat/data-display-media-type
feat/inline-help
feat/poetry
chore/L10n-parsley
bogus-form-submit
feat/public-form-i18n
fix/L10n
chore/upgrade-py-libraries
feat/star-rating-form-field
chore/upgrade-formbuilder-core
fix_PIL_error_wrong_mimetype_saving
feat/extended-form-fields
feat/webhooks
fix/array-value-bug
feat/form-themes
bugfix-plaintext-answer-edit
feat/moderator-role
fix/auth-wrapper
feat/conditional-fields
feat/data-download
feat/pdf-media
chore/tests
feat/postgres-orm
v5.0.0-dev-1
v4.10.0
v4.9.3
v4.9.2
v4.9.1
v4.9.0
v4.9.0-dev-6
v4.9.0-dev-5
v4.9.0-dev-4
v4.9.0-dev-3
v4.9.0-dev-2
v4.9.0-dev-1
v4.8.1
v4.8.0
v4.8.0-dev-3
v4.8.0-dev-2
v4.8.0-dev-1
v4.7.0
v4.6.1
v4.6.0
v4.5.1
v4.5.0
v4.4.0
v4.3.1
v4.3.0
v4.2.0
v4.1.2
v4.1.1
v4.1.0
v4.0.1
v4.0.0
v4.0.0-RC3
v4.0.0-RC2
v3.7.1
v3.7.0
v4.0.0-RC1
v3.6.0
v3.5.0
v4.0.0-dev-6
v4.0.0-dev-5
v4.0.0-dev-4
v4.0.0-dev-3
v3.4.0
v3.3.1
v3.3.0
v4.0.0-dev-2
v4.0.0-dev-1
v3.2.0
v3.2.0-dev-4
v3.2.0-dev-3
v3.2.0-dev-2
v3.2.0-dev-1
v3.1.1
v3.1.0
v3.1.0-dev-6
v3.1.0-dev-5
v3.1.0-dev-4
v3.1.0-dev-3
v3.1.0-dev-2
v3.1.0-dev-1
v3.0.1
v3.0.0
v3.0.0-dev-21
v3.0.0-dev-20
v3.0.0-dev-19
v3.0.0-dev-18
v3.0.0-dev-17
v3.0.0-dev-16
v3.0.0-dev-15
v3.0.0-dev-14
v3.0.0-dev-13
v3.0.0-dev-12
v3.0.0-dev-11
v3.0.0-dev-10
v3.0.0-dev-9
v3.0.0-dev-8
v3.0.0-dev-7
v3.0.0-dev-6
v3.0.0-dev-5
v3.0.0-dev-4
v3.0.0-dev-3
v3.0.0-dev-2
v3.0-dev-1
v3.0-dev
v2.1.2
v2.1.1
v2.1.0
v2.1.0-dev-4
v2.1.0-dev-3
v2.1.0-dev-2
v2.1.0-dev-1
v2.0.1-dev-3
v2.0.1-dev-2
v2.0.1-dev-1
v2.0.0
v.1.8.0
v2.0.0-dev-23
v2.0.0-dev-22
v2.0.0-dev-21
v2.0.0-dev-20
v2.0.0-dev-19
v2.0.0-dev-18
v2.0.0-dev-17
v2.0.0-dev-16
v2.0.0-dev-15
v2.0.0-dev-14
v2.0.0-dev-13
v2.0.0-dev-12
v2.0.0-dev-11
v2.0.0-dev-10
v2.0.0-dev-9
v2.0.0-dev-8
v2.0.0-dev-7
v2.0.0-dev-6
v2.0.0-dev-5
v2.0.0-dev-4
v2.0.0-dev-3
v2.0.0-dev-2
v2.0.0-dev-1
v2.0.0-dev
list
v1.8.13
pre-mongoengine
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
LiberaForms/server#797
Reference in a new issue
LiberaForms/server
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?