Only the latest released version is supported with security fixes.
Please report suspected vulnerabilities privately through GitHub Security Advisories, or by emailing the maintainer listed in the repository.
Do not publish a public issue for a suspected vulnerability until maintainers have had a reasonable opportunity to investigate and release a fix.
- Always sign challenges with
ALTCHA_HMAC_SECRET. - Use short expirations, for example 5 to 10 minutes.
- Store used challenge signatures/nonces server-side and reject replays.
- Bind challenge metadata to the expected action, for example
--data action=register. - Never trust challenge fields submitted by the browser unless
verifyorverify-payloadsucceeds.