Enhance security

Riddle has an extensive range of security features and settings and to optimise each of your Riddle's security. Please note, however, that technology is changing incredibly quickly and no Riddle can ever be completely hacker-proof. Here are a few recommendations.

Activate one vote per browser

This is the easiest to implement, and simply limits people to one vote per browser to discourage casual cheating. However, if a person opens an incognito browser or clears their cookies, they can vote again once more.

Follow the steps in the one vote per browser help guide.

Limit IP addresses

You can also limit the number of times people can take a Riddle (by IP address). We recommend at least 5, because offices will share an IP address so multiple people could take the same Riddle.

Follow the steps in the IP limit help guide.

Please note: We never store the actual IP addresses of your audience on our servers. Instead, we work with hash values. Riddle is an EU-based, GDPR-compliant quiz maker so we don't store personal information like this. Find out more about Riddle.com's privacy policy.

Add a CAPTCHA block

You can add our new CAPTCHA blog as part a form. Only users who complete the CAPTCHA will have their votes counted. We support three methods: Riddle, Google reCAPTCHA v3, and Cloudflare Turnstile.

Follow the steps in the CAPTCHA help guide.

Use double opt-in (DOI) or one time passwords (OTP)

Riddle also supports DOI/OTP, which sends a link or a code to participants after voting. Votes are only counted for people who click the DOI link or enter the OTP code.

Follow the steps in the DOI help guide.

All listed security options can also be combined with each other to further improve security. Many of our customers activate “One vote per browser” for polls by default. If more security is required, OTP or CAPTCHA can be added. For even higher security requirements, you can activate the IP limit in addition to these two options.

Backend security systems

  1. Riddle 2.0 is much more secure. In Riddle 1.0 a lot of data was validated at the browser level, which meant it was easier to send false messages to the server. By comparison, Riddle 2.0 uses a tightly meshed client-server connection. All validations and voting are done on the server side - which makes it much easier to detect and block false messages or fraudulent votes.
  2. Riddle’s DevOps teams also run a series of automated protections in the background, designed to detect and prevent automated attacks, such as monitoring for conspicuous numbers of simultaneous connections or a particularly large number of messages from a single IP address.
Table of Contents