Security

How gkCAPTCHA protects your site and best practices for secure integration.

Security Features

AI-Resistant Detection

Our scoring engine uses comprehensive behavioral analysis to detect AI agents and other automated threats attempting to solve CAPTCHAs.

Proof of Work

Cryptographic Proof-of-Work with adaptive difficulty makes automated attacks computationally expensive.

Saudi Data Residency

All data is processed and stored in our Riyadh data center. No data ever leaves Saudi Arabia.

Privacy-First

No tracking cookies, no persistent fingerprinting. Behavioral data is processed in real-time and not stored.

Bot Detection

Our multi-layer detection system analyzes:

Behavioral Analysis

  • Identifies non-human movement and interaction patterns
  • Detects anomalous velocity, acceleration, and rhythm
  • Flags automated scrolling and navigation behavior

Environmental Analysis

  • Identifies automated browsing environments
  • Detects inconsistencies in reported browser capabilities
  • Flags environments commonly associated with bot activity

Temporal Analysis

  • Analyzes timing patterns across the verification flow
  • Detects unnaturally fast or scripted interactions
  • Identifies suspicious session timing patterns

Form Analysis

  • Detects programmatic form submissions
  • Identifies non-human input patterns
  • Flags automated data entry behavior

Security Best Practices

Keep Your Secret Key Secret

Your secret key should never appear in client-side code or be committed to version control.

javascript
// WRONG - Never expose secret key
const secretKey = "sk_live_xxx"; // Anyone can see this!

// CORRECT - Use environment variables
const secretKey = process.env.GKCAPTCHA_SECRET_KEY;

Verify Hostname

Always check that the hostname in the verification response matches your expected domain to prevent token theft.

javascript
const result = await verifyCaptcha(token);

// Always verify hostname
if (result.hostname !== 'yourdomain.com') {
  throw new Error('Token was not generated on your domain');
}

Implement Rate Limiting

Protect your verification endpoint from brute-force attempts.

javascript
// Example rate limiting with express-rate-limit
import rateLimit from 'express-rate-limit';

const captchaLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per window
  message: 'Too many verification attempts'
});

app.post('/api/verify', captchaLimiter, verifyHandler);

Content Security Policy

Configure CSP headers to allow gkCAPTCHA resources.

html
<!-- Content Security Policy for gkCAPTCHA -->
<meta http-equiv="Content-Security-Policy" content="
  script-src 'self' https://gkcaptcha.gatekeeper.sa;
  connect-src 'self' https://gkcaptcha.gatekeeper.sa;
  frame-src 'self' https://gkcaptcha.gatekeeper.sa;
">

Compliance

StandardStatus
PDPL (Saudi Data Protection)Compliant
WCAG 2.2 AA (Accessibility)Compliant
SAMA Cyber Security FrameworkAligned
NCA Essential Cybersecurity ControlsAligned

For detailed compliance information, see our PDPL Compliance page.

Security Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly:

Email: security@gatekeeper.sa

Please include detailed steps to reproduce the vulnerability. We aim to respond within 24 hours and will work with you to address the issue promptly.