Improve CAPTCHA section in credential stuffing prevention cheat sheet

[jamielinux]

You're A Rockstar

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• All the markdown files do not raise any validation policy violation, see the policy.
• All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• Any references to websites have been formatted as [TEXT](URL)
• You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR fixes issue #1870.

AI Tool Usage Disclosure (required for all PRs)

Please select one of the following options:

• I have NOT used any AI tool to generate the contents of this PR.
• I have used AI tools to generate the contents of this PR. I have verified
  the contents and I affirm the results. The LLM used is [llm name and version]
  and the prompt used is [your prompt here]. [Feel free to add more details if needed]

Thank you again for your contribution 😃

[szh]

These are all good recommendations. I haven't heard of friendlycaptcha.com before and it appears to be a commercial offering. That's fine, but I think it would be good to list more than one option, and particularly to include an open source option if there is one.

[jamielinux]

Thanks @szh for your feedback! Are you suggesting a list of soft recommendations, something like this perhaps?:

Modern CAPTCHAs include open source self-hosted options like X and Y, as well as hosted services with an open source client like Z.

[szh]

@jamielinux yes exactly!

[jamielinux]

Great, thank you! I've made that change. Let me know what you think ☺️

[mackowski]

All changes looks good but I am not comfortable recommending solutions, especially commercial without bigger review of all available options. I would prefere to keep this without naming solutions and without vendor recommendations

[jamielinux]

Thank you for the feedback!

My feeling is that these are more like soft signposts rather than badges of approval, but I can appreciate your point of view and I'm happy to remove that paragraph if you prefer ☺️

[mackowski]

I will let @jmanico to weight in :-)

[Copilot]

Pull Request Overview

This PR enhances the CAPTCHA section of the Credential Stuffing Prevention Cheat Sheet by providing more comprehensive and modern guidance on CAPTCHA implementation. The update expands the section from a brief overview to a detailed guide that addresses current limitations of traditional CAPTCHAs and recommends modern alternatives.

• Expanded CAPTCHA guidance to address limitations of traditional approaches and recommend modern alternatives
• Added specific criteria for selecting CAPTCHA services (cryptographic challenges, adaptive difficulty, accessibility, privacy compliance)
• Included concrete examples of modern CAPTCHA solutions (mCaptcha, Procaptcha, Friendly Captcha)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.