Security: Captcha, ReactiveVar, client validation and browser console


#1

I am integrating svg-captcha and of course trying to limit anything performed on server. At the moment I generate an svg string with the captcha result in a server method and store them both in a ReactiveVar on client.

The question is, is it safe to both store captcha result together with SVG string in the same ReactiveVar and validate it right on the client? Or one can just get the state of a ReactiveVar right from from browser console?

I mean of course if required a human can debug the code on client and get the captcha result (though it would be easier just to see the svg :slight_smile: ), but since this ‘defence’ is against robots I wonder if a ‘typical robot’ is capable of doing it?