/verify/jwt is intended to be used by web app server. Without securing the endpoint, unauthorized web app server can use the captcha microservice for free even if the secret is not leaked. Disabling CORS alone is inadequate to prevent unauthorized usage as it can be easily compromised by a proxy.
Secure using ip whitelist and/or bearer token.
/verify/jwtis intended to be used by web app server. Without securing the endpoint, unauthorized web app server can use the captcha microservice for free even if the secret is not leaked. Disabling CORS alone is inadequate to prevent unauthorized usage as it can be easily compromised by a proxy. Secure using ip whitelist and/or bearer token.