These will stop curl-based requests but will not do anything against headless browsers. mCaptcha mostly dead.
It increases cost to bot only and does not stop anything unless you sign up for the monthly subscription pay per request plan from Altcha for example. Then you are in a paid Turnstile situation. And not self host. (https://altcha.org/docs/v2/sentinel/ - with third party API services, paid IP databases, additional paid subscription key, this is only mode that will do anything of much value)
These will stop curl-based requests but will not do anything against headless browsers. mCaptcha mostly dead.
It increases cost to bot only and does not stop anything unless you sign up for the monthly subscription pay per request plan from Altcha for example. Then you are in a paid Turnstile situation. And not self host. (https://altcha.org/docs/v2/sentinel/ - with third party API services, paid IP databases, additional paid subscription key, this is only mode that will do anything of much value)
I'm convinced the most accurate way to use a captcha is to assume that any user that completes the puzzle is a bot.
Well, that's just not true, is it? Try having any public form and you'll see tons of bot submissions, add a captcha, most of them go away.
I think Altcha is better, I have heard good things about them. And it looks easy to implement and can be selfhosted which is great!!
Thanks! Would you be able to share a bit more of what you've heard about Altcha?