How do I protect my contact form with a CAPTCHA?

There are two main types of CAPTCHAs, also known as a Completely Automated Public Turing test to tell Computers and Humans Apart. Either can be used to deter the Tinfoil Security scanner and help prevent unwanted email or comment spam.

1) Active CAPTCHAs:

Active CAPTCHAs are common challenge-response puzzles that are relatively easy for a human to solve but difficult for a program or bot. We recommend using a common widget like that provided by Like any other security solution, the best practice is to use a well known library where possible over creating a possibly vulnerable solution in-house.
Currently the Tinfoil Security scanner won't attempt to solve the CAPTCHA, but instead will flag and ignore the forms protected by one.

2) Negative CAPTCHAs:

A negative CAPTCHA takes the opposite approach: presenting a puzzle that is unlikely for a human to solve but easy and tempting for a program to do so. This is typically used when one wants a CAPTCHA to be invisible to humans and is typically implemented by providing a hidden honey-pot input. This input is marked as hidden and thus invisible to most humans but easily seen by programs that parse the HTML of your website. Programs like the Tinfoil Security scanner will fill out the input, but a human is unlikely to do so. On the backend, the form submission can be rejected if the input is filled out and thus would catch many programs red-handed.

Another common tactic is to use a bit of JavaScript to fill out the hidden form field with a known value. Humans, because they can't see the input, won't empty this field or change it, but programs such as the Tinfoil Security scanner won't execute the JavaScript and fill in the value properly. The server can then reject any requests that don't have the proper value filled in for the hidden input.

A good reference on this technique and variations can be found at, and a common library for ruby-based applications is at

Still need help? Contact Us Contact Us