CAPTCHA or rate limiting prevents bot posts

Why it matters

Without bot prevention, a single automated script can flood a community with thousands of posts per hour — overwhelming moderation queues, degrading feed quality, and inflating engagement metrics used to make product decisions. CWE-799 (Improper Control of Interaction Frequency) applies when there is no rate limiting or CAPTCHA on submission endpoints. OWASP A04:2021 (Insecure Design) frames the architectural gap: a platform designed without a bot prevention layer cannot be made safe by patching individual bugs. Bot floods are also the primary vector for coordinated inauthentic behavior, platform manipulation, and spam-link injection.

Remediation

Apply rate limiting to every public-facing submission endpoint. Configure in src/middleware/rateLimiter.ts:

import rateLimit from 'express-rate-limit';

export const postLimiter = rateLimit({
  windowMs: 60 * 1000, // 1 minute
  max: 10,             // 10 posts per minute per IP
  keyGenerator: (req) => req.ip,
  message: 'Too many submissions. Try again shortly.',
});

// Apply to all content routes
app.post('/api/posts', postLimiter, authenticate, createPost);
app.post('/api/comments', postLimiter, authenticate, createComment);

For higher-risk surfaces (public posting without auth), add hCaptcha or reCAPTCHA v3. A rate limit above 100 requests per minute does not satisfy this check as meaningful bot prevention.

Detection

ID: community-moderation-safety.spam-prevention.bot-prevention
Severity: high
What to look for: Check if post/comment submission forms use CAPTCHA (reCAPTCHA, hCaptcha), or if there's rate limiting on the submit endpoint. Look for IP-based or user-based rate limiting.
Pass criteria: New accounts or unverified users face CAPTCHA on post submission, OR all submissions are rate-limited to no more than 10 posts per minute per-IP or per-user. Count all public-facing submission endpoints and verify each has at least 1 bot-prevention mechanism.
Fail criteria: No CAPTCHA and no rate limiting. Bots can post freely without verification. Rate limits above 100 requests per minute do not count as meaningful bot prevention.
Skip (N/A) when: Never — bot prevention is essential.
Detail on fail: "No CAPTCHA or rate limiting on post submission. Bots can flood the platform with posts."
Cross-reference: Compare with community-moderation-safety.spam-prevention.account-age-limit — bot prevention blocks automated abuse while account-age-limit throttles new human accounts.

Remediation: Add CAPTCHA (reCAPTCHA or hCaptcha) to post submission forms. Configure in src/middleware/rateLimiter.ts:

import rateLimit from 'express-rate-limit';
export const postLimiter = rateLimit({
  windowMs: 60 * 1000, // 1 minute
  max: 10,
  keyGenerator: (req) => req.ip,
  message: 'Too many submissions. Try again shortly.'
});

Why it matters

Remediation

Apply rate limiting to every public-facing submission endpoint. Configure in src/middleware/rateLimiter.ts:

import rateLimit from 'express-rate-limit';

export const postLimiter = rateLimit({
  windowMs: 60 * 1000, // 1 minute
  max: 10,             // 10 posts per minute per IP
  keyGenerator: (req) => req.ip,
  message: 'Too many submissions. Try again shortly.',
});

// Apply to all content routes
app.post('/api/posts', postLimiter, authenticate, createPost);
app.post('/api/comments', postLimiter, authenticate, createComment);

For higher-risk surfaces (public posting without auth), add hCaptcha or reCAPTCHA v3. A rate limit above 100 requests per minute does not satisfy this check as meaningful bot prevention.

Detection

ID: community-moderation-safety.spam-prevention.bot-prevention
Severity: high
What to look for: Check if post/comment submission forms use CAPTCHA (reCAPTCHA, hCaptcha), or if there's rate limiting on the submit endpoint. Look for IP-based or user-based rate limiting.
Pass criteria: New accounts or unverified users face CAPTCHA on post submission, OR all submissions are rate-limited to no more than 10 posts per minute per-IP or per-user. Count all public-facing submission endpoints and verify each has at least 1 bot-prevention mechanism.
Fail criteria: No CAPTCHA and no rate limiting. Bots can post freely without verification. Rate limits above 100 requests per minute do not count as meaningful bot prevention.
Skip (N/A) when: Never — bot prevention is essential.
Detail on fail: "No CAPTCHA or rate limiting on post submission. Bots can flood the platform with posts."
Cross-reference: Compare with community-moderation-safety.spam-prevention.account-age-limit — bot prevention blocks automated abuse while account-age-limit throttles new human accounts.

Remediation: Add CAPTCHA (reCAPTCHA or hCaptcha) to post submission forms. Configure in src/middleware/rateLimiter.ts:

import rateLimit from 'express-rate-limit';
export const postLimiter = rateLimit({
  windowMs: 60 * 1000, // 1 minute
  max: 10,
  keyGenerator: (req) => req.ip,
  message: 'Too many submissions. Try again shortly.'
});

CAPTCHA or rate limiting prevents bot posts

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

CAPTCHA or rate limiting prevents bot posts

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History