did
commented
6 years ago @ahoernecke good point. let remove this page in documentation.
Closed ahoernecke closed 6 years ago
did
commented
6 years ago @ahoernecke good point. let remove this page in documentation.
did
commented
6 years ago done
I noticed there are instructions on using recaptcha on a contact form available on your documentation page (https://locomotive-v3.readme.io/docs/using-recaptcha-in-a-contact-form).
These instructions validate the captcha request in javascript on the client-side instead of on the server side. This does not provide any additional security and is trivially bypassed. Verification of the recaptcha submission should be done on the server side. Google has documentation to this effect here: https://developers.google.com/recaptcha/docs/verify
I understand you might not want to support this as a fully fleshed out option, but the documentation should not give instructions for an insecure implementation--at least not without proper warnings and disclaimers.