Integrates ALTCHA proof-of-work antispam into the Kanboard login form.
- Kanboard >= 1.2.0
- PHP >= 8.1
- Copy this directory into Kanboard's
plugins/directory and name itKanboardALTCHA. - Add your ALTCHA credentials to Kanboard's
config.php(see below). - The plugin activates automatically on next page load — no Kanboard settings toggle is required.
Add the following to your Kanboard config.php:
define('ALTCHA_SECRET', 'your_altcha_secret_key_here');
define('ALTCHA_PUBLIC_KEY', 'your_altcha_public_key_here');Obtain both keys from altcha.org after creating an account.
Keep ALTCHA_SECRET out of version control. The public key is safe to expose.
- Proof-of-work challenge: ALTCHA requires the browser to solve a computational puzzle before the login form can be submitted, which blocks automated credential-stuffing without user friction.
- IP-based rate limiting: failed attempts are tracked per client IP, not per session. In other words, attackers cannot reset the counter by clearing cookies.
- Fail-closed verification: network errors or malformed API responses are treated as failed challenges, not bypasses.
- Session fixation protection:
session_regenerate_id(true)is called on every successful login. - No user data sent to ALTCHA: only the challenge token is verified. In other words, usernames and passwords never leave your server.