A long time we think about how to protect RevolveR CMF installations and have many time to do XSS and SQL Injections protection. Also we made bot and spam security based on captcha.
For any routes Core generates personal hashes and patterns user need to repeat. Hashes lives only 30 minutes and will be destroyed when user leave a page contains any forms. This is not a final step to make captcha better. We seriously think about using frontend-backend sides Crypto techniques to secure POST data.
How it works? First, captcha generates personal for any route pattern contains coordinates, shuffle this data, add roman letters to make analyze impossible, add hash contains time and secret data. Next when page renders captcha perform FETCH POST query to generate keys, pattern and render canvas pattern that's example to user input when they make submit contents posting. Before submit captcha makes some magic to rearrange inputted coordinates and shuffle it again. Next it will send to SERVER where Core functions make check a path of posted data, check hashes and time.
For now this solution works perfect for blocking auto spam programs, denied possibility of brutforce and hacking.
Now we want to make advances encryption of internal captcha data using browser based Crypto techniques with Backend Crypto algorithms to make all better. So. Next we have to upgrade RevolveR Frontend library with new Crypto futures.