Additional measures

A CAPTCHA solution — whichever one you choose — can only ever be one element of your website’s overall security strategy and should always be combined with additional protective measures.

Here are a few suggestions:

• Content Security Policy (CSP): A modern browser security feature that lets you specify which types of content (scripts, styles, images, iFrames, etc.) are allowed to load and execute on your website.

  Goal: Prevent cross-site scripting (XSS) and data injection attacks.

• Rate limiting: A mechanism that ensures a client (e.g. a user, browser, or bot) cannot send too many requests to your server in a short period of time.

  Goal: Prevent denial-of-service (DoS) attacks.

• (Dynamic) IP blacklisting: A feature that allows you to block specific IP addresses or address ranges to prevent them from accessing your server. Tools such as Fail2Ban can manage these lists dynamically by blocking IPs only when they exhibit suspicious behaviour (for example, multiple failed login attempts within a short time).

  Goal: Block clients with suspicious behaviour patterns.

• TLS hardening: Beyond the obvious requirement that your website must be accessible via HTTPS, you should also ensure that only TLS 1.2 and TLS 1.3 are offered, and that outdated or insecure cryptographic algorithms are disabled.

  Goal: Ensure secure encryption of communication.

• HTTP Strict Transport Security (HSTS): A mechanism that forces browsers to connect to your website exclusively via HTTPS, never via insecure HTTP.

  Goal: Protection against man-in-the-middle attacks.