What is reCAPTCHA?
reCAPTCHA is most frequently seen acting as gatekeeper for online forms and login screens on web apps. Visitors often must complete a challenge before they can proceed. Usually, sites implement reCAPTCHA in the middle of a page, to ensure humans are the only submission sources.
While this common implementation can help with data validation, it requires that the page has already been loaded by the visitor, and does nothing to keep the server from being overrun from attack.
LiteSpeed addresses this limitation by moving reCAPTCHA from the application level to the server level.
Why use reCAPTCHA at a Server Level?
reCAPTCHA, when implemented on the server, provides more control than most other popular DDoS protection solutions. Legitimate visitors will be able to access the site, while malicious actors will be stopped, providing a powerful tool to mitigate resource usage.
Application-level reCAPTCHA carries with it the cost of PHP overhead. LiteSpeed's reCAPTCHA page uses SSI, making it essentially a static page. Plus, reCAPTCHA doesn’t always have to be enabled. It can be configured with rewrite rules to selectively enable it by virtual host, or even by page. The LiteSpeed implementation uses a sensitivity scale to allow reCAPTCHA to be activated automatically when the server undergoes heavy load. When the load eases up, reCAPTCHA deactivates, leaving a frictionless experience for visitors.
A list of "good bots" as well as an IP whitelist further control when a reCAPTCHA challenge appears.
How Does it Work?
LiteSpeed redirects non trusted visitors to a static page when the server detects high load. The static page generates a challenge for the visitor. Upon completion, the verification runs through LiteSpeed. LiteSpeed comes bundled with an executable that takes the challenge response and forwards the request to Google. If successful, Google replies with a response header that indicates success to LiteSpeed. Future visits by the same client will not be subjected to further reCAPTCHA checks.
LiteSpeed denies clients that fail by dropping the connection or returning a 403 error.
With LiteSpeed reCAPTCHA on guard, attacks are blocked before they have an opportunity to bring down the server, sparing you and your clients the headaches and potential lost revenue that downtime brings.
