The project I'm working on is a piece of static HTML with some inline JavaScript that will call a REST web-service, which I'm creating myself using .NET 3.5 WCF.
The JavaScript will grab some details from the user including an email address, then send those details off to the web-service through Ajax. The web-service will then store the details in a database.
Since this is a web-service, I'm pretty sure it would be stateless.
However, the requirement for the project is that the front-end JavaScript should also do a captcha, to prevent spamming.
The site itself will only be up for a few weeks (6 weeks max), and I don't think that's enough time for any would-be attackers to get serious about bringing the site down.
For this reason, I've considered making an entirely client-side captcha, since traditional captcha requires a stateful sessions.
However I'm curious to know what security measures would normally be implemented in a stateless environment, or if anyone thinks I'm wrong about client-side captcha validation being sufficient.