Hey everyone, I recently created an image compression tool and have been using Google Recaptcha for security. However, I'm facing a problem: the recaptcha token expires in just 2 minutes, while the compression process for larger files can take more than that. I'm considering removing recaptcha altogether and switching to a simple math-based solution to deter bots. Will that be secure enough, or should I stick with recaptcha?
5 Answers
One option is to generate a session token on your backend and protect the upload endpoint with recaptcha. You can send the session token with each upload request and manage its validity. This way, you control how long tokens last without depending solely on the recaptcha expiration.
I wouldn't rely on a simple math method; it's generally not enough. While nothing can completely eliminate bot traffic, you need to determine what level of security is acceptable for your situation. Some alternatives you might consider are hcaptcha, Cloudflare Turnstile, or FriendlyCaptcha.
Many image compression tools actually focus more on rate limiting than on captchas, given that user uploads are usually legitimate and the processing time can vary. You might want to explore that direction as well.
I'm trying out Cloudflare Turnstile myself—it's great because the token validity is 5 minutes, which sounds like it might be enough time for your needs!
You might want to split the process into two HTTP calls. Make the first call just to validate the Google token, and in return, get a one-time URL for the image upload. Also, you should check out modern compression tools that can operate in the browser with Web Assembly!
Yeah, definitely check out the Compression Streams API for browser-based compression options: https://developer.mozilla.org/en-US/docs/Web/API/Compression_Streams_API