Web-Engine Sentry for WordPress
The easy-to-use WordPress plugin that provides quick and simple integration to our privacy-focused service to enhance the security of your site. The plugin works by validating that the user is human.
Read moreDocumentation - Web-Engine Sentry API
A privacy-focused service designed to enhance the security of form submissions and access points. With simple installation, the widget works by validating the user is human and provides a token that your server can then verify as having been successfully checked.
Overview
This guide focuses on the API implimentation, for information on our WordPress Plugin see the WordPress plugin documentation. You can also find out more about the features this product provides on the case-study page.
Sentry can be integrated directly into your website and seamlessly integrates with your application. The challenges we currently use are subject to ongoing improvement. We are also developing an accessible fallback option for users who cannot utilise visual challenges and exploring ways to completely remove the need to display challenges in certain cases.
Data privacy is of utmost importance to us. We will never harvest user data for ad retargeting or use your actions to train an AI.
As AI-based attacks are increasingly prevalent and major providers are becoming targets, we are offering an alternative solution to address this challenge.
We acknowledge that relying solely on browser checks for security may be ineffective, as AI can mimic human behaviour and be executed on compromised end-user devices. Therefore, simply detecting whether a browser is genuine is not a sufficient measure.
Getting started
To work with Sentry, you will need to generate a public key and a secret key. These keys are bound to a specific domain and cannot be used on other domains. The public key is intended for use in a browser and is used to initiate the component within your page.
You will need to register for a Web-Engine Cloud account to get started. There is no registration fee, and there is a free version of this service to get you started.
- Once registered, log in and visit the Sentry dashboard.
- Click Add Domain
- Enter the domain name - note we allow for www variations of a domain automatically, if you have multiple domains, you will need separate keys for each.
- Copy your public and secret keys - the secret key will not be shown again!
Add the code to your site.
The following needs to be in the head of your web page.
<script src="https://cdn.we360.cloud/sentry/v1/client.js" defer></script>Add the code to your form where you want the component to appear. Note $PUBLIC_KEY should be replaced with the public key generated earleir.
<div className="web-engine-sentry" data-key="$PUBLIC_KEY"></div>Single Page Applications
If your using the API with a reqular form submission this won't apply to you, however if you need a tighter intergration (for instance if your page is a React application) then please check over the following.
You may need to trigger updates to render the component when loading content in-place.
This can be done by calling the "init" method, for example -
typeof webEngineSentry !== "undefined" && webEngineSentry.init();In a React application this can be achieved by using useEffect within the functional component that features a Sentry placement, for example -
import { useEffect } from 'react'
export function YourComponent(props) {
useEffect(() => {
typeof webEngineSentry !== "undefined" && webEngineSentry.init();
}, []);You will also need to retrieve the token stored in the extra field contained in your form. This is always a field called web_engine_sentry_signature.
In React you should update the onSubmit handler to trigger Sentry to bind to the current submission. The
<form action='#' onSubmit={e => { e.preventDefault(); webEngineSentry.currentTarget = e.currentTarget }} noValidate>The binding is achieved using webEngineSentry.currentTarget = e.currentTarget in the sample above.
When you submit you can then retrieve the token to send to your back end script for confirmation.
const onSubmit = methods.handleSubmit(data => {
data.web_engine_sentry_signature = ("undefined" !== typeof ("webEngineSentry")) ? webEngineSentry.getSignature() : false;
if (false !== data.web_engine_sentry_signature) {
// you're good to send for confirmation ...Confirmation of the response
When the data from your form is submitted an additional "web_engine_sentry_signature" field will be present containing your token. It’s essential to enforce this token with the verify call. The token might be invalid, expired, or already redeemed. Failing to verify the token will expose significant vulnerabilities in your implementation.
Note the token is valid for 5 minuites after creation and can only be verified once.
In the example below - $SECRET_KEY is the key obtained when registering the domain. $TOKEN is the token contained in the "web_engine_sentry_signature" field data.
curl -X POST 'https://api.we360.cloud/api/sentry/confirm' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H "Authorization: Bearer $SECRET_KEY" \
-d '{ "signature": "$TOKEN" }'A good result will return the following, all other responses should be treated as a failure. The HTTP response code and message should indicate the issue with the request.
{"passed":true}There are a number of response codes that can be returned that you can use to debug your application - these include -
- 200 Good, Request passed
- 404 Not found, Unknown request, missing the required post data
- 403 Forbidden, Expired or unknown signature