CAPTCHA Shield is primarily a client-side demo and widget system. The client-side code provides friction and deterrence, but NOT production-grade security.

For production deployments, you MUST add server-side verification:

• Verify signed tokens with cryptographic signatures
• Validate nonces with TTL expiration
• Implement rate limiting
• Correlate client and server signals
• Never trust client-reported risk scores

See docs/SECURITY_MODEL.md for complete security architecture.

We take security vulnerabilities seriously. If you discover a security vulnerability in CAPTCHA Shield, please report it responsibly.

Nos tomamos las vulnerabilidades de seguridad en serio. Si descubres una vulnerabilidad de seguridad en CAPTCHA Shield, por favor repórtala de forma responsable.

1. Do NOT open a public issue for security vulnerabilities.
2. NO abras un issue público para vulnerabilidades de seguridad.
3. Send an email describing the vulnerability to the project maintainers.
4. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

1. We will acknowledge receipt within 48 hours.
2. We will assess the severity and determine a timeline.
3. We will keep you updated on the fix progress.
4. Once fixed, we will credit you (unless you prefer to remain anonymous).

• Always keep your .env files out of version control
• Siempre mantén tus archivos .env fuera del control de versiones
• Use HTTPS in production
• Usa HTTPS en producción
• Regularly update dependencies: npm audit
• Actualiza dependencias regularmente: npm audit
• Review the Next.js Security Best Practices

• Behavioral analysis is heuristic-based and may produce false positives/negatives
• El análisis comportamental es heurístico y puede producir falsos positivos/negativos
• Canvas rendering may behave differently across browsers
• El renderizado en canvas puede comportarse diferente entre navegadores
• Client-side verification alone is insufficient for production security
• La verificación client-side sola es insuficiente para seguridad en producción
• No server-side token validation by default
• Sin validación de tokens en servidor por defecto

For full security model and production deployment guidance, see:

• docs/SECURITY_MODEL.md - Complete security architecture
• docs/PRODUCTION_BACKEND_PLAN.md - Backend verifier plan
• examples/form-protected-demo.html - Demo with client-side warning