Client-side validation is not enough

[unsudo]

Without proper server-side validation a captcha is worthless. You can easily bypass this captcha by opening the developer tools in any browser. Paste the following code for the validate() method in the console tab and hit "Enter". Now, every input is considered valid, even no input is valid, and the success callback is fired.

jCaptcha.prototype.validate = function() {
    this.callbackReceived = this.callbackReceived || (typeof this.options.callback == 'function');
    this.callbackReceived && this.options.callback('success', this.$el, 1);
    (this.options.clearOnSubmit === true) && (this.$el.value = '');
}

[bitsnaps]

A proper server-side based validation must be implemented at the backend. However, I believe these kind of tricks is mostly used to reduce the traffic on the backend by eliminating the basic bots which tried to perform a DDOS through post requests on any form, but I'm not sure with todays LLMs, OCRs, agent/computer-use/vision... which becomes very powerful against these kind of hacks!

[dertuxmalwieder]

Without proper server-side validation a captcha is worthless.

True, but what is this project supposed to do about it? Doesn't sound like a valid issue here.

[KaiPrince]

Without proper server-side validation a captcha is worthless.

I wouldn't say worthless. For many use cases, a captcha is just used as a guard against bots or scrapers. Opening the dev tools to bypass the captcha requires human intervention or a much more sophisticated bot. Therefore even a front-end only captcha can still be useful.

In my case, I'm using this on my personal website to prevent my email being scraped and flooded with spam. Someone who's mass spamming emails doesn't have the time to bypass captchas like this for every site.