diff --git a/locales/de/auth.json b/locales/de/auth.json
index c60fc00d..e920c3b4 100644
--- a/locales/de/auth.json
+++ b/locales/de/auth.json
@@ -1,15 +1,15 @@
 {
-  "login": {
-    "INVALID_LOGIN": "Ungültige E-Mail oder Telefonnummer",
-    "INVALID_PASSWORD": "Ungültiges Passwort"
-  },
-  "register": {
-    "REGISTRATION_DISABLED": "Neue Nutzer können sich nicht mehr registrieren",
-    "INVITE_ONLY": "Du musst eingeladen werden, um dich zu registrieren",
-    "EMAIL_INVALID": "Ungültige E-Mail Adresse",
-    "EMAIL_ALREADY_REGISTERED": "Es existiert bereits ein Account mit dieser E-Mail Adresse",
-    "DATE_OF_BIRTH_UNDERAGE": "Du musst mindestens {{years}} Jahre alt sein",
-    "CONSENT_REQUIRED": "Du musst den AGB's und Datenschutzbestimmungen zustimmen",
-    "USERNAME_TOO_MANY_USERS": "Es haben bereits zu viele Nutzer den gleichen Nutzernamen"
-  }
-}
\ No newline at end of file
+	"login": {
+		"INVALID_LOGIN": "E-Mail oder Telefonnummer nicht gefunden",
+		"INVALID_PASSWORD": "Ungültiges Passwort"
+	},
+	"register": {
+		"REGISTRATION_DISABLED": "Neue Nutzer können sich nicht mehr registrieren",
+		"INVITE_ONLY": "Du musst eingeladen werden, um dich zu registrieren",
+		"EMAIL_INVALID": "Ungültige E-Mail Adresse",
+		"EMAIL_ALREADY_REGISTERED": "Es existiert bereits ein Account mit dieser E-Mail Adresse",
+		"DATE_OF_BIRTH_UNDERAGE": "Du musst mindestens {{years}} Jahre alt sein",
+		"CONSENT_REQUIRED": "Du musst den AGB's und Datenschutzbestimmungen zustimmen",
+		"USERNAME_TOO_MANY_USERS": "Es haben bereits zu viele Nutzer den gleichen Nutzernamen"
+	}
+}
diff --git a/locales/en/auth.json b/locales/en/auth.json
index 88c2c003..025a3876 100644
--- a/locales/en/auth.json
+++ b/locales/en/auth.json
@@ -1,15 +1,15 @@
 {
-  "login": {
-    "INVALID_LOGIN": "Invalid E-Mail or Phone",
-    "INVALID_PASSWORD": "Invalid Password"
-  },
-  "register": {
-    "REGISTRATION_DISABLED": "New user registration is disabled",
-    "INVITE_ONLY": "You must be invited to register",
-    "EMAIL_INVALID": "Invalid Email",
-    "EMAIL_ALREADY_REGISTERED": "Email is already registered",
-    "DATE_OF_BIRTH_UNDERAGE": "You need to be {{years}} years or older",
-    "CONSENT_REQUIRED": "You must agree to Terms of Service and Privacy Policy.",
-    "USERNAME_TOO_MANY_USERS": "Too many users have this username, please try another"
-  }
-}
\ No newline at end of file
+	"login": {
+		"INVALID_LOGIN": "E-Mail or Phone not found",
+		"INVALID_PASSWORD": "Invalid Password"
+	},
+	"register": {
+		"REGISTRATION_DISABLED": "New user registration is disabled",
+		"INVITE_ONLY": "You must be invited to register",
+		"EMAIL_INVALID": "Invalid Email",
+		"EMAIL_ALREADY_REGISTERED": "Email is already registered",
+		"DATE_OF_BIRTH_UNDERAGE": "You need to be {{years}} years or older",
+		"CONSENT_REQUIRED": "You must agree to Terms of Service and Privacy Policy.",
+		"USERNAME_TOO_MANY_USERS": "Too many users have this username, please try another"
+	}
+}
diff --git a/src/Server.ts b/src/Server.ts
index c7f36233..f17d4c9d 100644
--- a/src/Server.ts
+++ b/src/Server.ts
@@ -2,7 +2,7 @@ import "missing-native-js-functions";
 import fs from "fs/promises";
 import { Connection } from "mongoose";
 import { Server, ServerOptions } from "lambert-server";
-import { Authentication, GlobalRateLimit } from "./middlewares/";
+import { Authentication, CORS, GlobalRateLimit } from "./middlewares/";
 import Config from "./util/Config";
 import { db } from "@fosscord/server-util";
 import i18next from "i18next";
@@ -15,10 +15,9 @@ import fetch from "node-fetch";
 import mongoose from "mongoose";
 
 // this will return the new updated document for findOneAndUpdate
-mongoose.set('returnOriginal', false); // https://mongoosejs.com/docs/api/model.html#model_Model.findOneAndUpdate
+mongoose.set("returnOriginal", false); // https://mongoosejs.com/docs/api/model.html#model_Model.findOneAndUpdate
 
-
-export interface FosscordServerOptions extends ServerOptions { }
+export interface FosscordServerOptions extends ServerOptions {}
 
 declare global {
 	namespace Express {
@@ -56,6 +55,7 @@ export class FosscordServer extends Server {
 
 		this.app.use(GlobalRateLimit);
 		this.app.use(Authentication);
+		this.app.use(CORS);
 		this.app.use(BodyParser({ inflate: true }));
 		const languages = await fs.readdir(__dirname + "/../locales/");
 		const namespaces = await fs.readdir(__dirname + "/../locales/en/");
diff --git a/src/index.ts b/src/index.ts
index c6417126..554c296f 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -5,7 +5,6 @@ export * from "./schema/Channel";
 export * from "./schema/Guild";
 export * from "./schema/Invite";
 export * from "./schema/Message";
-export * from "./util/Captcha";
 export * from "./util/Config";
 export * from "./util/Constants";
 export * from "./util/Event";
diff --git a/src/middlewares/CORS.ts b/src/middlewares/CORS.ts
index 336051bd..b47de251 100644
--- a/src/middlewares/CORS.ts
+++ b/src/middlewares/CORS.ts
@@ -4,4 +4,11 @@ import { NextFunction, Request, Response } from "express";
 
 export function CORS(req: Request, res: Response, next: NextFunction) {
 	res.set("Access-Control-Allow-Origin", "*");
+	res.set(
+		"Content-security-policy",
+		"script-src 'https://hcaptcha.com, https://*.hcaptcha.com' frame-src 'https://hcaptcha.com, https://*.hcaptcha.com' style-src 'https://hcaptcha.com, https://*.hcaptcha.com' connect-src 'https://hcaptcha.com, https://*.hcaptcha.com'"
+	);
+	res.set("Access-Control-Allow-Headers", req.header("Access-Control-Request-Headers"));
+
+	next();
 }
diff --git a/src/routes/auth/login.ts b/src/routes/auth/login.ts
index 5c43db1b..a0fc1190 100644
--- a/src/routes/auth/login.ts
+++ b/src/routes/auth/login.ts
@@ -20,11 +20,26 @@ router.post(
 		$gift_code_sku_id: String,
 	}),
 	async (req: Request, res: Response) => {
-		const { login, password } = req.body;
+		const { login, password, captcha_key } = req.body;
 		const email = adjustEmail(login);
 		const query: any[] = [{ phone: login }];
 		if (email) query.push({ email });
 
+		const config = Config.get();
+
+		if (config.login.requireCaptcha && config.security.captcha.enabled) {
+			if (!captcha_key) {
+				const { sitekey, service } = config.security.captcha;
+				return res.status(400).json({
+					captcha_key: ["captcha-required"],
+					captcha_sitekey: sitekey,
+					captcha_service: service,
+				});
+			}
+
+			// TODO: check captcha
+		}
+
 		const user = await UserModel.findOne({ $or: query }, `user_data.hash id user_settings.locale user_settings.theme`).exec();
 
 		if (!user) {
diff --git a/src/util/Captcha.ts b/src/util/Captcha.ts
deleted file mode 100644
index cb0ff5c3..00000000
--- a/src/util/Captcha.ts
+++ /dev/null
@@ -1 +0,0 @@
-export {};
diff --git a/src/util/Config.ts b/src/util/Config.ts
index e500197f..f1f0f458 100644
--- a/src/util/Config.ts
+++ b/src/util/Config.ts
@@ -1,6 +1,5 @@
 import { Config, Snowflake } from "@fosscord/server-util";
 import crypto from "crypto";
-import fs from "fs";
 
 export default {
 	init() {
@@ -75,10 +74,14 @@ export interface DefaultOptions {
 		forwadedFor: string | null;
 		captcha: {
 			enabled: boolean;
-			service: "recaptcha" | null; // TODO: hcaptcha, custom
+			service: "recaptcha" | "hcaptcha" | null; // TODO: hcaptcha, custom
 			sitekey: string | null;
+			secret: string | null;
 		};
 	};
+	login: {
+		requireCaptcha: boolean;
+	};
 	register: {
 		email: {
 			required: boolean;
@@ -155,8 +158,12 @@ export const DefaultOptions: DefaultOptions = {
 			enabled: false,
 			service: null,
 			sitekey: null,
+			secret: null,
 		},
 	},
+	login: {
+		requireCaptcha: false,
+	},
 	register: {
 		email: {
 			required: true,