Security Best Practices
Follow these guidelines to ensure maximum protection from bots.
1. Always Verify Server-Side
Never trust the client-side token alone. Always verify with the Sloxly API on your server before processing form data.
Skipping server verification means any bot can bypass your captcha by submitting a fake token.
2. Keep Secret Keys Secure
- Never expose
secret_keyin frontend code or public repos - Use environment variables or secure config files
- Rotate keys immediately if compromised
3. Lock Keys to Domains
Always restrict your captcha keys to specific domains in the Developer Console. This prevents unauthorized use of your keys on other websites.
4. Use Tokens Only Once
Each captcha token is single-use. The Sloxly API automatically invalidates tokens after the first verification attempt. Never retry with the same token.
5. Check Token Expiry
Tokens expire after 5 minutes. If a user takes too long to submit a form, the token may expire and verification will fail. Handle this by asking the user to re-complete the captcha.
6. Monitor Analytics
Use the Developer Console analytics dashboard to monitor:
- Success vs. failure rates
- Unusual traffic patterns
- Potential bot attacks (many failures from same IP)
Security Checklist
| ✓ | Practice |
|---|---|
| ☑ | Server-side verification on every form submission |
| ☑ | Secret key stored in server-side config only |
| ☑ | Domain restrictions enabled |
| ☑ | Token expiry handled with user-friendly message |
| ☑ | Analytics monitored regularly |
| ☑ | Keys rotated periodically |