Implementing captcha in a stateless REST web-service environment

Question

The project I'm working on is a piece of static HTML with some inline JavaScript that will call a REST web-service, which I'm creating myself using .NET 3.5 WCF.

The JavaScript will grab some details from the user including an email address, then send those details off to the web-service through Ajax. The web-service will then store the details in a database.

Since this is a web-service, I'm pretty sure it would be stateless.

However, the requirement for the project is that the front-end JavaScript should also do a captcha, to prevent spamming.

The site itself will only be up for a few weeks (6 weeks max), and I don't think that's enough time for any would-be attackers to get serious about bringing the site down.

For this reason, I've considered making an entirely client-side captcha, since traditional captcha requires a stateful sessions.

However I'm curious to know what security measures would normally be implemented in a stateless environment, or if anyone thinks I'm wrong about client-side captcha validation being sufficient.

Answer 1

You may not even need a CAPTCHA. Many spam clients are too dumb to execute things like Javascript. You could try just setting a hidden input to some value in Javascript.

If your site is only up for a few weeks then I doubt anyone would build a client that would get around that.

That said it would screw users without Javascript, so I'd recommend putting a message on screen which the Javascript removes. That would have the same input field but as a check box with a label which explains they need to check it not to be ignored.