Back to News for Developers

Application Security and CAPTCHAs

April 7, 2008ByJustin Mitchell
Like most large Web sites, Facebook gets a lot of attention from spammers and other unscrupulous people. Over the last three years, we have developed many tools to stop this type of activity and protect users' private data. One of the most powerful tools in our arsenal is the CAPTCHA, a simple image that displays obfuscated text that computers cannot read but humans can.

Now that Facebook Platform applications have become incredibly popular, we’re rolling out tools that make it as easy and efficient as possible for third party developers to secure their applications. As part of this effort, we are introducing a new FBML tag to easily drop a CAPTCHA onto a canvas page. You can add the fb:captcha tag to any canvas page form, and we will render a CAPTCHA for you. When that form gets submitted we will grade the CAPTCHA and add an fb_sig_captcha_grade parameter to the callback request if the CAPTCHA was filled out correctly. By using fb:captcha, you can secure your application from automated scripting attacks.

Also, we want to remind you to always verify that the fb_sig parameter is correct, as this ensures the request has originated from Facebook and has not been altered. The client library makes this easy to do with $facebook->validate_fb_params(). If you're not using PHP, read this article for more information on how to verify that the fb_sig parameter is correct.