All configuration options for CWaptcha, with defaults and notes.
{
"CWaptcha": {
"SecretKey": "", // required — set via user-secrets or env var
"NonceTtlSeconds": 300, // optional, default 300 (5 min)
"HoneypotFieldName": "cw_hp_email", // optional
"ProtectedPaths": [], // optional — routes intercepted by middleware
"RequireHttps": false // optional, enable true in production
}
}| Option | Type | Default | Description |
|---|---|---|---|
SecretKey |
string | required | Master HMAC key. Set via user-secrets or environment variable. Throws OptionsValidationException at startup if empty. |
NonceTtlSeconds |
int | 300 | How long (in seconds) a nonce is valid. After expiry the token is rejected with "expired". |
HoneypotFieldName |
string | "cw_hp_email" | Name of the hidden honeypot field injected by the JS. Must match the data-honeypot attribute on the script tag. |
ProtectedPaths |
string[] | [] | Routes the middleware intercepts. Matched with OrdinalIgnoreCase prefix matching. Only the POST verb is validated. |
RequireHttps |
bool | false | When true, rejects non-HTTPS requests. Checks IsHttps or X-Forwarded-Proto: https for reverse-proxy setups. |
dotnet user-secrets set "CWaptcha:SecretKey" "your-secret-here"# System environment variable (double underscore = section separator)
CWaptcha__SecretKey=your-secret-here<environmentVariables>
<environmentVariable name="CWaptcha__SecretKey" value="your-secret-here" />
</environmentVariables>// Program.cs
builder.Services.AddStackExchangeRedisCache(o =>
o.Configuration = builder.Configuration["Redis:ConnectionString"]);
builder.Services.AddCWaptcha(builder.Configuration.GetSection("CWaptcha"))
.UseDistributedNonceStore();