From 37730b6627f903936392fc353d0bf3bba3c08bf8 Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Tue, 18 Nov 2025 10:25:04 +0000
Subject: [PATCH 1/6] feat: add experimental HTTP template server

Add experimental HTTP template server feature that allows users to render
ban and captcha templates via HTTP endpoint instead of using Lua scripts.

Key features:
- HTTP server with configurable listen address/port and TLS support
- Template rendering using Go's native text/template package
- Host configuration lookup using Host header from HAProxy
- Support for ban and captcha remediation types
- Catch-all route for simplified HAProxy configuration
- HEAD requests return 403 for ban/captcha remediations

Changes:
- Add HTTPTemplateServerConfig to bouncer configuration
- Implement HTTP template server in pkg/httptemplate
- Add Go template renderer in pkg/template
- Create .tmpl template files for ban and captcha
- Add GetProviderInfo helper in captcha package
- Update Dockerfile to create log directory and copy templates
- Add HAProxy configuration example for HTTP template server
- Update all config files to use canonical header names (X-Crowdsec-*)

This is an experimental feature and must be explicitly enabled via
http_template_server.enabled in the configuration.
---
 Dockerfile                                   |  21 +-
 cmd/root.go                                  |  27 ++
 config/crowdsec-spoa-bouncer.yaml            |  16 ++
 config/haproxy-httptemplate.cfg              |  74 +++++
 config/haproxy-upstreamproxy.cfg             |   8 +-
 config/haproxy.cfg                           |   8 +-
 debian/rules                                 |   4 +-
 docker-compose.httptemplate-test.yaml        |  68 +++++
 docker-compose.proxy-test.yaml               |   6 +-
 docker-compose.yaml                          |   6 +-
 internal/remediation/captcha/providers.go    |   9 +
 pkg/cfg/config.go                            |  48 +++-
 pkg/httptemplate/server.go                   | 287 +++++++++++++++++++
 pkg/template/renderer.go                     |  44 +++
 rpm/SPECS/crowdsec-haproxy-spoa-bouncer.spec |   4 +
 templates/ban.tmpl                           | 102 +++++++
 templates/captcha.tmpl                       | 141 +++++++++
 17 files changed, 844 insertions(+), 29 deletions(-)
 create mode 100644 config/haproxy-httptemplate.cfg
 create mode 100644 docker-compose.httptemplate-test.yaml
 create mode 100644 pkg/httptemplate/server.go
 create mode 100644 pkg/template/renderer.go
 create mode 100644 templates/ban.tmpl
 create mode 100644 templates/captcha.tmpl

diff --git a/Dockerfile b/Dockerfile
index ea56133..eba6fc3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -26,16 +26,23 @@ RUN addgroup -S crowdsec-spoa && adduser -S -D -H -s /sbin/nologin -g crowdsec-s
 ## Create a socket for the spoa to inherit crowdsec-spoa:haproxy user from official haproxy image
 RUN mkdir -p /run/crowdsec-spoa/ && chown crowdsec-spoa:haproxy /run/crowdsec-spoa/ && chmod 770 /run/crowdsec-spoa/
 
-## Copy templates
-RUN mkdir -p /var/lib/crowdsec/lua/haproxy/templates/
-COPY --from=build /go/src/cs-spoa-bouncer/templates/* /var/lib/crowdsec/lua/haproxy/templates/
+## Create log directory with proper permissions
+RUN mkdir -p /var/log/crowdsec-spoa && chown crowdsec-spoa:crowdsec-spoa /var/log/crowdsec-spoa && chmod 755 /var/log/crowdsec-spoa
 
-RUN mkdir -p /usr/local/crowdsec/lua/haproxy/
-COPY --from=build /go/src/cs-spoa-bouncer/lua/* /usr/local/crowdsec/lua/haproxy/
+## Copy Lua files (matching Debian/RPM paths)
+RUN mkdir -p /usr/lib/crowdsec-haproxy-spoa-bouncer/lua
+COPY --from=build /go/src/cs-spoa-bouncer/lua/* /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
 
-RUN chown -R root:haproxy /var/lib/crowdsec/lua/haproxy /usr/local/crowdsec/lua/haproxy
+## Copy templates (matching Debian/RPM paths)
+## Copy .tmpl files explicitly to ensure they're included
+RUN mkdir -p /var/lib/crowdsec-haproxy-spoa-bouncer/html
+COPY --from=build /go/src/cs-spoa-bouncer/templates/ban.tmpl /var/lib/crowdsec-haproxy-spoa-bouncer/html/ban.tmpl
+COPY --from=build /go/src/cs-spoa-bouncer/templates/captcha.tmpl /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.tmpl
 
-VOLUME [ "/usr/local/crowdsec/lua/haproxy/", "/var/lib/crowdsec/lua/haproxy/templates/" ]
+RUN chown -R root:haproxy /usr/lib/crowdsec-haproxy-spoa-bouncer/lua /var/lib/crowdsec-haproxy-spoa-bouncer/html && \
+    chmod -R 755 /usr/lib/crowdsec-haproxy-spoa-bouncer/lua /var/lib/crowdsec-haproxy-spoa-bouncer/html
+
+VOLUME [ "/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/", "/var/lib/crowdsec-haproxy-spoa-bouncer/html/" ]
 
 RUN chmod +x /docker_start.sh
 
diff --git a/cmd/root.go b/cmd/root.go
index b14d4c6..bd1a412 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -21,6 +21,7 @@ import (
 	"github.com/crowdsecurity/crowdsec-spoa/pkg/cfg"
 	"github.com/crowdsecurity/crowdsec-spoa/pkg/dataset"
 	"github.com/crowdsecurity/crowdsec-spoa/pkg/host"
+	"github.com/crowdsecurity/crowdsec-spoa/pkg/httptemplate"
 	"github.com/crowdsecurity/crowdsec-spoa/pkg/metrics"
 	"github.com/crowdsecurity/crowdsec-spoa/pkg/spoa"
 	csbouncer "github.com/crowdsecurity/go-cs-bouncer"
@@ -194,6 +195,24 @@ func Execute() error {
 		}
 	}
 
+	// Create and start HTTP template server if enabled (after HostManager is created)
+	var httpTemplateServer *httptemplate.Server
+	if config.HTTPTemplateServer.Enabled {
+		httpTemplateLogger := log.WithField("component", "http_template_server")
+		var err error
+		httpTemplateServer, err = httptemplate.NewServer(&config.HTTPTemplateServer, HostManager, httpTemplateLogger)
+		if err != nil {
+			return fmt.Errorf("failed to create HTTP template server: %w", err)
+		}
+
+		g.Go(func() error {
+			if err := httpTemplateServer.Serve(ctx); err != nil {
+				return fmt.Errorf("HTTP template server failed: %w", err)
+			}
+			return nil
+		})
+	}
+
 	if config.HostsDir != "" {
 		if err := HostManager.LoadFromDirectory(config.HostsDir); err != nil {
 			return fmt.Errorf("failed to load hosts from directory: %w", err)
@@ -252,6 +271,14 @@ func Execute() error {
 		log.Errorf("Failed to shutdown SPOA: %v", shutdownErr)
 	}
 
+	// Shutdown HTTP template server if it was started
+	if httpTemplateServer != nil {
+		log.Info("Shutting down HTTP template server")
+		if shutdownErr := httpTemplateServer.Shutdown(shutdownCtx); shutdownErr != nil {
+			log.Errorf("Failed to shutdown HTTP template server: %v", shutdownErr)
+		}
+	}
+
 	// Return error only if it was unexpected
 	if err != nil && !isExpectedShutdown {
 		return err
diff --git a/config/crowdsec-spoa-bouncer.yaml b/config/crowdsec-spoa-bouncer.yaml
index 770e113..418624c 100644
--- a/config/crowdsec-spoa-bouncer.yaml
+++ b/config/crowdsec-spoa-bouncer.yaml
@@ -24,3 +24,19 @@ prometheus:
   enabled: false
   listen_addr: 127.0.0.1
   listen_port: 60601
+
+## HTTP Template Server (Experimental)
+# This feature allows HAProxy to use an HTTP backend instead of Lua scripts for template rendering
+# When enabled, HAProxy can be configured to proxy requests to this server instead of using Lua
+# Uses Go native templates (.tmpl files) instead of Lua-style templates
+http_template_server:
+  enabled: false
+  listen_addr: 127.0.0.1
+  listen_port: 8081
+  # Optional: Custom template paths (defaults to .tmpl files in standard locations if not specified)
+  # ban_template_path: /var/lib/crowdsec-haproxy-spoa-bouncer/html/ban.tmpl
+  # captcha_template_path: /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.tmpl
+  tls:
+    enabled: false
+    # cert_file: /path/to/cert.pem
+    # key_file: /path/to/key.pem
diff --git a/config/haproxy-httptemplate.cfg b/config/haproxy-httptemplate.cfg
new file mode 100644
index 0000000..fba1435
--- /dev/null
+++ b/config/haproxy-httptemplate.cfg
@@ -0,0 +1,74 @@
+# https://www.haproxy.com/documentation/hapee/latest/onepage/#home
+# HAProxy configuration example using HTTP Template Server instead of Lua
+# This demonstrates the experimental HTTP template server feature
+
+global
+    log stdout format raw local0
+
+defaults
+    log global
+    option httplog
+    timeout client 1m
+	timeout server 1m
+	timeout connect 10s
+	timeout http-keep-alive 2m
+	timeout queue 15s
+	timeout tunnel 4h  # for websocket
+
+frontend test
+    mode http
+    bind *:9090
+    
+    unique-id-format %[uuid()]
+    unique-id-header X-Unique-ID
+    filter spoe engine crowdsec config /etc/haproxy/crowdsec.cfg
+
+    ## Define ACLs for remediation types
+    acl is_ban var(txn.crowdsec.remediation) -m str "ban"
+    acl is_captcha var(txn.crowdsec.remediation) -m str "captcha"
+    acl is_allow var(txn.crowdsec.remediation) -m str "allow"
+
+    ## Set headers for HTTP template server
+    ## IMPORTANT: Remove any user-provided headers first for security, then set from transaction variables
+    ## The server will look up host configuration using the Host header (automatically forwarded by HAProxy)
+    ## Only the remediation type needs to be sent - all other data comes from host configuration
+    http-request del-header X-Crowdsec-Remediation
+    http-request set-header X-Crowdsec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found }
+    
+    ## Set a custom header on the request for upstream services to use
+    http-request set-header X-Crowdsec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
+
+    ## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
+    http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if is_allow { var(txn.crowdsec.redirect) -m found }
+    
+    ## Route to HTTP template server for ban and captcha remediations
+    ## Instead of using Lua, we proxy to the HTTP template server
+    ## The server uses a catch-all route, so no path rewriting is needed
+    ## Use OR operator (||) to combine ACLs for cleaner configuration
+    use_backend http_template_server if is_ban || is_captcha
+
+    ## Handle captcha cookie management via HAProxy
+    ## Set captcha cookie when SPOA provides captcha_status (pending or valid)
+    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found }
+    ## Clear captcha cookie when cookie exists but no captcha_status (Allow decision)
+    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found }
+
+    ## Default backend for allowed requests
+    use_backend test_backend
+
+backend test_backend
+    mode http
+    server s1 whoami:2020
+    
+backend crowdsec-spoa
+    mode tcp
+    balance roundrobin
+    server s2 spoa:9000
+    server s3 spoa:9001
+
+backend http_template_server
+    mode http
+    # Proxy to the HTTP template server
+    # The server will read X-Crowdsec-Remediation header to determine which template to render
+    server template_server spoa:8081
+
diff --git a/config/haproxy-upstreamproxy.cfg b/config/haproxy-upstreamproxy.cfg
index 32d026b..7aaf4df 100644
--- a/config/haproxy-upstreamproxy.cfg
+++ b/config/haproxy-upstreamproxy.cfg
@@ -6,8 +6,8 @@ global
     log stdout format raw local0
     lua-prepend-path /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/?.lua
     lua-load /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/crowdsec.lua
-    setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec/lua/haproxy/templates/ban.html
-    setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec/lua/haproxy/templates/captcha.html
+    setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/ban.html
+    setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.html
 
 defaults
     log global
@@ -41,9 +41,9 @@ frontend test
     # tcp-request content reject if { var(txn.crowdsec.remediation) -m str "ban" }
 
     ## Set a custom header on the request for upstream services to use
-    http-request set-header X-CrowdSec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found }
+    http-request set-header X-Crowdsec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found }
     ## Set a custom header on the request for upstream services to use
-    http-request set-header X-CrowdSec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
+    http-request set-header X-Crowdsec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
 
     ## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
     http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
diff --git a/config/haproxy.cfg b/config/haproxy.cfg
index 4e7bc74..79b5321 100644
--- a/config/haproxy.cfg
+++ b/config/haproxy.cfg
@@ -3,8 +3,8 @@ global
     log stdout format raw local0
     lua-prepend-path /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/?.lua
     lua-load /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/crowdsec.lua
-    setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec/lua/haproxy/templates/ban.html
-    setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec/lua/haproxy/templates/captcha.html
+    setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/ban.html
+    setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.html
 
 defaults
     log global
@@ -31,9 +31,9 @@ frontend test
     # tcp-request content reject if { var(txn.crowdsec.remediation) -m str "ban" }
 
     ## Set a custom header on the request for upstream services to use
-    http-request set-header X-CrowdSec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found }
+    http-request set-header X-Crowdsec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found }
     ## Set a custom header on the request for upstream services to use
-    http-request set-header X-CrowdSec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
+    http-request set-header X-Crowdsec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
 
     ## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
     http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
diff --git a/debian/rules b/debian/rules
index 5172f2d..525e0d3 100644
--- a/debian/rules
+++ b/debian/rules
@@ -30,7 +30,9 @@ override_dh_auto_install:
 	install -m 644 -D "lua/template.lua" "debian/$$PKG/usr/lib/$$PKG/lua/template.lua"; \
 	mkdir -p "debian/$$PKG/var/lib/$$PKG/html"; \
 	install -m 644 -D "templates/ban.html" "debian/$$PKG/var/lib/$$PKG/html/ban.html"; \
-	install -m 644 -D "templates/captcha.html" "debian/$$PKG/var/lib/$$PKG/html/captcha.html"
+	install -m 644 -D "templates/captcha.html" "debian/$$PKG/var/lib/$$PKG/html/captcha.html"; \
+	install -m 644 -D "templates/ban.tmpl" "debian/$$PKG/var/lib/$$PKG/html/ban.tmpl"; \
+	install -m 644 -D "templates/captcha.tmpl" "debian/$$PKG/var/lib/$$PKG/html/captcha.tmpl"
 
 execute_after_dh_fixperms:
 	@BOUNCER=crowdsec-spoa-bouncer; \
diff --git a/docker-compose.httptemplate-test.yaml b/docker-compose.httptemplate-test.yaml
new file mode 100644
index 0000000..fd0d360
--- /dev/null
+++ b/docker-compose.httptemplate-test.yaml
@@ -0,0 +1,68 @@
+services:
+  spoa:
+    image: crowdsecurity/crowdsec-spoa:latest
+    build:
+      context: .
+      dockerfile: Dockerfile
+    depends_on:
+      - crowdsec
+    volumes:
+      - sockets:/run/
+      - geodb:/var/lib/crowdsec/data/
+      - ./config/crowdsec-spoa-bouncer.yaml.local:/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml.local
+    networks:
+      crowdsec:
+        ipv4_address: 10.5.5.254
+    deploy:
+      resources:
+        limits:
+          cpus: "4.0"
+          memory: 250M
+
+  whoami:
+    image: traefik/whoami:latest
+    networks:
+      - crowdsec
+    command:
+       - --port=2020
+
+  haproxy:
+    image: haproxy:2.9.7-alpine
+    volumes:
+      - ./config/haproxy-httptemplate.cfg:/usr/local/etc/haproxy/haproxy.cfg
+      - ./config/crowdsec.cfg:/etc/haproxy/crowdsec.cfg
+      - sockets:/run/
+    ports:
+      - "9090:9090"
+    depends_on:
+      - crowdsec
+      - spoa
+      - whoami
+    networks:
+      - crowdsec
+  
+  crowdsec:
+    image: crowdsecurity/crowdsec:latest
+    environment:
+      - BOUNCER_KEY_SPOA=+4iYgItcalc9+0tWrvrj9R6Wded/W1IRwRtNmcWR9Ws
+      - DISABLE_ONLINE_API=true
+      - CROWDSEC_BYPASS_DB_VOLUME_CHECK=true
+    volumes:
+      - geodb:/staging/var/lib/crowdsec/data/
+    networks:
+      - crowdsec
+
+volumes:
+  sockets:
+    driver: local
+  geodb:
+    driver: local
+
+networks:
+  crowdsec:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet: "10.5.5.0/24"
+
diff --git a/docker-compose.proxy-test.yaml b/docker-compose.proxy-test.yaml
index 65f61c3..b2963e4 100644
--- a/docker-compose.proxy-test.yaml
+++ b/docker-compose.proxy-test.yaml
@@ -8,8 +8,8 @@ services:
       - crowdsec
     volumes:
       - sockets:/run/
-      - templates:/var/lib/crowdsec/lua/haproxy/templates/
-      - lua:/usr/local/crowdsec/lua/haproxy/
+      - templates:/var/lib/crowdsec-haproxy-spoa-bouncer/html/
+      - lua:/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
       - geodb:/var/lib/crowdsec/data/
       - ./config/crowdsec-spoa-bouncer.yaml.local:/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml.local
     networks:
@@ -35,7 +35,7 @@ services:
       - ./config/haproxy-upstreamproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
       - ./config/crowdsec-upstreamproxy.cfg:/etc/haproxy/crowdsec.cfg
       - sockets:/run/
-      - templates:/var/lib/crowdsec/lua/haproxy/templates/
+      - templates:/var/lib/crowdsec-haproxy-spoa-bouncer/html/
       - lua:/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
     # HAProxy is now only accessible via nginx (not exposed directly)
     depends_on:
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 7b89453..29af5b5 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -9,8 +9,8 @@ services:
       - crowdsec
     volumes:
       - sockets:/run/
-      - templates:/var/lib/crowdsec/lua/haproxy/templates/
-      - lua:/usr/local/crowdsec/lua/haproxy/
+      - templates:/var/lib/crowdsec-haproxy-spoa-bouncer/html/
+      - lua:/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
       - geodb:/var/lib/crowdsec/data/
       - ./config/crowdsec-spoa-bouncer.yaml.local:/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml.local
     networks:
@@ -37,7 +37,7 @@ services:
       - ./config/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
       - ./config/crowdsec.cfg:/etc/haproxy/crowdsec.cfg
       - sockets:/run/
-      - templates:/var/lib/crowdsec/lua/haproxy/templates/
+      - templates:/var/lib/crowdsec-haproxy-spoa-bouncer/html/
       - lua:/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
     ports:
       - "9090:9090"
diff --git a/internal/remediation/captcha/providers.go b/internal/remediation/captcha/providers.go
index 7f92040..85b9384 100644
--- a/internal/remediation/captcha/providers.go
+++ b/internal/remediation/captcha/providers.go
@@ -35,3 +35,12 @@ func ValidProvider(provider string) bool {
 	_, ok := providers[provider]
 	return ok
 }
+
+// GetProviderInfo returns the frontend key and JS URL for a given provider
+// Returns empty strings if the provider is not found
+func GetProviderInfo(provider string) (frontendKey, frontendJS string) {
+	if info, ok := providers[provider]; ok {
+		return info.key, info.js
+	}
+	return "", ""
+}
diff --git a/pkg/cfg/config.go b/pkg/cfg/config.go
index a98b041..8faacec 100644
--- a/pkg/cfg/config.go
+++ b/pkg/cfg/config.go
@@ -18,14 +18,30 @@ type PrometheusConfig struct {
 	ListenPort    string `yaml:"listen_port"`
 }
 
+type TLSConfig struct {
+	Enabled  bool   `yaml:"enabled"`
+	CertFile string `yaml:"cert_file"`
+	KeyFile  string `yaml:"key_file"`
+}
+
+type HTTPTemplateServerConfig struct {
+	Enabled         bool      `yaml:"enabled"`
+	ListenAddress   string    `yaml:"listen_addr"`
+	ListenPort      string    `yaml:"listen_port"`
+	TLS             TLSConfig `yaml:"tls"`
+	BanTemplate     string    `yaml:"ban_template_path"`
+	CaptchaTemplate string    `yaml:"captcha_template_path"`
+}
+
 type BouncerConfig struct {
-	Logging          cslogging.LoggingConfig `yaml:",inline"`
-	Hosts            []*host.Host            `yaml:"hosts"`
-	HostsDir         string                  `yaml:"hosts_dir"`
-	Geo              geo.GeoDatabase         `yaml:",inline"`
-	ListenTCP        string                  `yaml:"listen_tcp"`
-	ListenUnix       string                  `yaml:"listen_unix"`
-	PrometheusConfig PrometheusConfig        `yaml:"prometheus"`
+	Logging            cslogging.LoggingConfig  `yaml:",inline"`
+	Hosts              []*host.Host             `yaml:"hosts"`
+	HostsDir           string                   `yaml:"hosts_dir"`
+	Geo                geo.GeoDatabase          `yaml:",inline"`
+	ListenTCP          string                   `yaml:"listen_tcp"`
+	ListenUnix         string                   `yaml:"listen_unix"`
+	PrometheusConfig   PrometheusConfig         `yaml:"prometheus"`
+	HTTPTemplateServer HTTPTemplateServerConfig `yaml:"http_template_server"`
 }
 
 // MergedConfig() returns the byte content of the patched configuration file (with .yaml.local).
@@ -73,5 +89,23 @@ func (c *BouncerConfig) Validate() error {
 		return fmt.Errorf("configuration requires at least one listener: set listen_tcp or listen_unix")
 	}
 
+	// Validate HTTP template server configuration if enabled
+	if c.HTTPTemplateServer.Enabled {
+		if c.HTTPTemplateServer.ListenAddress == "" {
+			return fmt.Errorf("http_template_server.listen_addr is required when http_template_server.enabled is true")
+		}
+		if c.HTTPTemplateServer.ListenPort == "" {
+			return fmt.Errorf("http_template_server.listen_port is required when http_template_server.enabled is true")
+		}
+		if c.HTTPTemplateServer.TLS.Enabled {
+			if c.HTTPTemplateServer.TLS.CertFile == "" {
+				return fmt.Errorf("http_template_server.tls.cert_file is required when http_template_server.tls.enabled is true")
+			}
+			if c.HTTPTemplateServer.TLS.KeyFile == "" {
+				return fmt.Errorf("http_template_server.tls.key_file is required when http_template_server.tls.enabled is true")
+			}
+		}
+	}
+
 	return nil
 }
diff --git a/pkg/httptemplate/server.go b/pkg/httptemplate/server.go
new file mode 100644
index 0000000..7882351
--- /dev/null
+++ b/pkg/httptemplate/server.go
@@ -0,0 +1,287 @@
+package httptemplate
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/crowdsecurity/crowdsec-spoa/internal/remediation/captcha"
+	"github.com/crowdsecurity/crowdsec-spoa/pkg/cfg"
+	"github.com/crowdsecurity/crowdsec-spoa/pkg/host"
+	"github.com/crowdsecurity/crowdsec-spoa/pkg/template"
+	log "github.com/sirupsen/logrus"
+)
+
+// Server represents the HTTP template server
+type Server struct {
+	config          *cfg.HTTPTemplateServerConfig
+	logger          *log.Entry
+	server          *http.Server
+	banRenderer     *template.Renderer
+	captchaRenderer *template.Renderer
+	hostManager     *host.Manager
+}
+
+// NewServer creates a new HTTP template server
+func NewServer(config *cfg.HTTPTemplateServerConfig, hostManager *host.Manager, logger *log.Entry) (*Server, error) {
+	if config == nil {
+		return nil, fmt.Errorf("http template server config is nil")
+	}
+
+	if !config.Enabled {
+		return nil, fmt.Errorf("http template server is not enabled")
+	}
+
+	s := &Server{
+		config:      config,
+		logger:      logger.WithField("component", "http_template_server"),
+		hostManager: hostManager,
+	}
+
+	// Load ban template
+	banTemplatePath := config.BanTemplate
+	if banTemplatePath == "" {
+		banTemplatePath = "/var/lib/crowdsec-haproxy-spoa-bouncer/html/ban.tmpl"
+	}
+	var err error
+	s.banRenderer, err = s.loadTemplate("ban", banTemplatePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load ban template: %w", err)
+	}
+
+	// Load captcha template
+	captchaTemplatePath := config.CaptchaTemplate
+	if captchaTemplatePath == "" {
+		captchaTemplatePath = "/var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.tmpl"
+	}
+	s.captchaRenderer, err = s.loadTemplate("captcha", captchaTemplatePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load captcha template: %w", err)
+	}
+
+	// Setup HTTP routes
+	mux := http.NewServeMux()
+	// Catch-all route that handles both ban and captcha based on header
+	// This allows HAProxy to route to any path without needing to set-path
+	mux.HandleFunc("/", s.handleRender)
+
+	// Create HTTP server
+	listenAddr := net.JoinHostPort(config.ListenAddress, config.ListenPort)
+	s.server = &http.Server{
+		Addr:         listenAddr,
+		Handler:      mux,
+		ReadTimeout:  15 * time.Second,
+		WriteTimeout: 15 * time.Second,
+		IdleTimeout:  60 * time.Second,
+	}
+
+	return s, nil
+}
+
+// loadTemplate loads a template from a file path and returns a renderer
+func (s *Server) loadTemplate(name, path string) (*template.Renderer, error) {
+	// Use the provided path directly - it should be absolute or configured by the user
+	templatePath := path
+	if !filepath.IsAbs(path) {
+		// If relative path provided, make it relative to the standard template directory
+		const templateDir = "/var/lib/crowdsec-haproxy-spoa-bouncer/html"
+		templatePath = filepath.Join(templateDir, path)
+	}
+
+	content, err := os.ReadFile(templatePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read template file %s: %w", templatePath, err)
+	}
+
+	renderer, err := template.NewRenderer(string(content))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create renderer: %w", err)
+	}
+
+	s.logger.WithField("template", name).WithField("path", templatePath).Info("loaded template")
+	return renderer, nil
+}
+
+// handleRender is the main endpoint that handles both ban and captcha rendering
+// It reads the remediation type from X-CrowdSec-Remediation header (set by HAProxy)
+// It looks up host configuration using the Host header to get ban/captcha settings
+// Security: HAProxy must delete any user-provided headers and set them from transaction variables
+func (s *Server) handleRender(w http.ResponseWriter, r *http.Request) {
+	// Get remediation from header (set by HAProxy from transaction variables)
+	// HAProxy configuration should use del-header before set-header to ensure user values are ignored
+	remediation := r.Header.Get("X-Crowdsec-Remediation")
+	if remediation == "" {
+		s.logger.WithFields(log.Fields{
+			"remote_addr": r.RemoteAddr,
+			"headers":     r.Header,
+		}).Warn("X-CrowdSec-Remediation header not found, returning 400")
+		http.Error(w, "Bad Request: Missing X-CrowdSec-Remediation header", http.StatusBadRequest)
+		return
+	}
+
+	// Get hostname from Host header (HAProxy forwards the original Host header)
+	hostname := r.Host
+	if hostname == "" {
+		s.logger.Warn("Host header not found, cannot match host configuration")
+		http.Error(w, "Bad Request: Missing Host header", http.StatusBadRequest)
+		return
+	}
+
+	// Look up host configuration
+	matchedHost := s.hostManager.MatchFirstHost(hostname)
+	if matchedHost == nil {
+		s.logger.WithField("hostname", hostname).Warn("no matching host configuration found")
+		// If captcha and no host, we can't proceed (same logic as SPOA)
+		if remediation == "captcha" {
+			s.logger.Warn("captcha remediation but no host found, cannot render captcha")
+			http.Error(w, "Internal Server Error: No host configuration for captcha", http.StatusInternalServerError)
+			return
+		}
+		// For ban, we can still render with empty data
+		matchedHost = nil
+	}
+
+	// Build template data from host configuration
+	data := s.buildTemplateData(remediation, matchedHost)
+
+	// Log for security monitoring
+	s.logger.WithFields(log.Fields{
+		"remediation": remediation,
+		"hostname":    hostname,
+		"remote_addr": r.RemoteAddr,
+		"host_found":  matchedHost != nil,
+	}).Debug("handling render request")
+
+	var renderer *template.Renderer
+	var statusCode int
+
+	switch remediation {
+	case "ban":
+		renderer = s.banRenderer
+		statusCode = http.StatusForbidden
+	case "captcha":
+		if matchedHost == nil {
+			s.logger.Error("captcha remediation but no host configuration found")
+			http.Error(w, "Internal Server Error: No host configuration for captcha", http.StatusInternalServerError)
+			return
+		}
+		renderer = s.captchaRenderer
+		statusCode = http.StatusOK
+	case "allow":
+		// Allow should be handled by HAProxy redirect, but if it reaches here, return 200
+		s.logger.Warn("handleRender called for 'allow' remediation - this should be handled by HAProxy redirect")
+		http.Error(w, "Bad Request: Allow remediation should use HAProxy redirect", http.StatusBadRequest)
+		return
+	default:
+		s.logger.WithField("remediation", remediation).Warn("unknown remediation type")
+		http.Error(w, fmt.Sprintf("Bad Request: Unknown remediation type: %s", remediation), http.StatusBadRequest)
+		return
+	}
+
+	// Set headers
+	w.Header().Set("Cache-Control", "no-cache, no-store")
+
+	// For HEAD requests, always return 403 for ban and captcha remediations
+	if r.Method == http.MethodHead {
+		w.WriteHeader(http.StatusForbidden)
+		return
+	}
+
+	// Check if client accepts HTML
+	if !s.acceptsHTML(r) {
+		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		w.WriteHeader(http.StatusForbidden)
+		if _, err := w.Write([]byte("Forbidden")); err != nil {
+			s.logger.WithError(err).Error("failed to write response")
+		}
+		return
+	}
+
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.WriteHeader(statusCode)
+
+	// Render template directly to response writer
+	if err := renderer.Render(w, data); err != nil {
+		s.logger.WithError(err).Error("failed to render template")
+		// Headers already sent, can't send error response
+		return
+	}
+}
+
+// buildTemplateData builds template data from host configuration
+// If matchedHost is nil, returns empty data (for ban without host config)
+func (s *Server) buildTemplateData(remediation string, matchedHost *host.Host) template.TemplateData {
+	data := template.TemplateData{}
+
+	if matchedHost == nil {
+		// No host configuration - return empty data
+		// This is acceptable for ban remediation but not for captcha
+		return data
+	}
+
+	// Extract ban configuration
+	data.ContactUsURL = matchedHost.Ban.ContactUsURL
+
+	// Extract captcha configuration
+	if remediation == "captcha" && matchedHost.Captcha.Provider != "" {
+		data.CaptchaSiteKey = matchedHost.Captcha.SiteKey
+		data.CaptchaFrontendKey, data.CaptchaFrontendJS = captcha.GetProviderInfo(matchedHost.Captcha.Provider)
+	}
+
+	return data
+}
+
+// acceptsHTML checks if the request accepts HTML content
+func (s *Server) acceptsHTML(r *http.Request) bool {
+	accept := r.Header.Get("Accept")
+	if accept == "" {
+		return true // Default to HTML if no Accept header
+	}
+	return strings.Contains(accept, "text/html") || strings.Contains(accept, "*/*")
+}
+
+// Serve starts the HTTP server
+func (s *Server) Serve(ctx context.Context) error {
+	listenAddr := s.server.Addr
+	protocol := "HTTP"
+	if s.config.TLS.Enabled {
+		protocol = "HTTPS"
+	}
+
+	s.logger.WithFields(log.Fields{
+		"address":  listenAddr,
+		"protocol": protocol,
+	}).Info("starting HTTP template server")
+
+	serverError := make(chan error, 1)
+
+	go func() {
+		var err error
+		if s.config.TLS.Enabled {
+			err = s.server.ListenAndServeTLS(s.config.TLS.CertFile, s.config.TLS.KeyFile)
+		} else {
+			err = s.server.ListenAndServe()
+		}
+		if err != nil && err != http.ErrServerClosed {
+			serverError <- err
+		}
+	}()
+
+	select {
+	case err := <-serverError:
+		return fmt.Errorf("HTTP template server error: %w", err)
+	case <-ctx.Done():
+		return nil
+	}
+}
+
+// Shutdown gracefully shuts down the HTTP server
+func (s *Server) Shutdown(ctx context.Context) error {
+	s.logger.Info("shutting down HTTP template server")
+	return s.server.Shutdown(ctx)
+}
diff --git a/pkg/template/renderer.go b/pkg/template/renderer.go
new file mode 100644
index 0000000..28c179f
--- /dev/null
+++ b/pkg/template/renderer.go
@@ -0,0 +1,44 @@
+package template
+
+import (
+	"fmt"
+	"io"
+	"text/template"
+)
+
+// TemplateData holds the data for template rendering
+type TemplateData struct {
+	// Ban template fields
+	ContactUsURL string
+
+	// Captcha template fields
+	CaptchaSiteKey     string
+	CaptchaFrontendKey string
+	CaptchaFrontendJS  string
+}
+
+// Renderer handles template rendering using Go's native text/template package
+type Renderer struct {
+	tmpl *template.Template
+}
+
+// NewRenderer creates a new template renderer with the given template content
+func NewRenderer(templateContent string) (*Renderer, error) {
+	tmpl, err := template.New("template").Parse(templateContent)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse template: %w", err)
+	}
+
+	return &Renderer{
+		tmpl: tmpl,
+	}, nil
+}
+
+// Render renders the template with the given data directly to the provided io.Writer
+func (r *Renderer) Render(w io.Writer, data TemplateData) error {
+	if err := r.tmpl.Execute(w, data); err != nil {
+		return fmt.Errorf("failed to execute template: %w", err)
+	}
+
+	return nil
+}
diff --git a/rpm/SPECS/crowdsec-haproxy-spoa-bouncer.spec b/rpm/SPECS/crowdsec-haproxy-spoa-bouncer.spec
index cf03b1e..1b4e130 100644
--- a/rpm/SPECS/crowdsec-haproxy-spoa-bouncer.spec
+++ b/rpm/SPECS/crowdsec-haproxy-spoa-bouncer.spec
@@ -48,6 +48,8 @@ install -m 644 -D lua/utils.lua %{buildroot}/usr/lib/%{name}/lua/utils.lua
 install -m 644 -D lua/template.lua %{buildroot}/usr/lib/%{name}/lua/template.lua
 install -m 644 -D templates/ban.html %{buildroot}%{_localstatedir}/lib/%{name}/html/ban.html
 install -m 644 -D templates/captcha.html %{buildroot}%{_localstatedir}/lib/%{name}/html/captcha.html
+install -m 644 -D templates/ban.tmpl %{buildroot}%{_localstatedir}/lib/%{name}/html/ban.tmpl
+install -m 644 -D templates/captcha.tmpl %{buildroot}%{_localstatedir}/lib/%{name}/html/captcha.tmpl
 
 %clean
 rm -rf %{buildroot}
@@ -65,6 +67,8 @@ rm -rf %{buildroot}
 /usr/lib/%{name}/lua/template.lua
 %{_localstatedir}/lib/%{name}/html/ban.html
 %{_localstatedir}/lib/%{name}/html/captcha.html
+%{_localstatedir}/lib/%{name}/html/ban.tmpl
+%{_localstatedir}/lib/%{name}/html/captcha.tmpl
 
 %post
 # Reload systemd units
diff --git a/templates/ban.tmpl b/templates/ban.tmpl
new file mode 100644
index 0000000..f357f15
--- /dev/null
+++ b/templates/ban.tmpl
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <title>CrowdSec Ban</title>
+    <meta content="text/html; charset=utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <style>/*! tailwindcss v3.2.7 | MIT License | https://tailwindcss.com*/*,:after,:before{border:0 solid #e5e7eb;box-sizing:border-box}:after,:before{--tw-content:""}html{-webkit-text-size-adjust:100%;font-feature-settings:normal;font-family:ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4}body{line-height:inherit;margin:0}hr{border-top-width:1px;color:inherit;height:0}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,pre,samp{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:initial}sub{bottom:-.25em}sup{top:-.5em}table{border-collapse:collapse;border-color:inherit;text-indent:0}button,input,optgroup,select,textarea{color:inherit;font-family:inherit;font-size:100%;font-weight:inherit;line-height:inherit;margin:0;padding:0}button,select{text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button;background-color:initial;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:initial}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dd,dl,figure,h1,h2,h3,h4,h5,h6,hr,p,pre{margin:0}fieldset{margin:0}fieldset,legend{padding:0}menu,ol,ul{list-style:none;margin:0;padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{color:#9ca3af;opacity:1}input::placeholder,textarea::placeholder{color:#9ca3af;opacity:1}[role=button],button{cursor:pointer}:disabled{cursor:default}audio,canvas,embed,iframe,img,object,svg,video{display:block;vertical-align:middle}img,video{height:auto;max-width:100%}[hidden]{display:none}*,::backdrop,:after,:before{--tw-border-spacing-x:0;--tw-translate-x:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:#3b82f680;--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: }.fixed{position:fixed}.right-0{right:0}.top-0{top:0}.flex{display:flex}.h-24{height:6rem}.h-3\/5{height:60%}.h-6{height:1.5rem}.h-full{height:100%}.h-screen{height:100vh}.w-24{width:6rem}.w-6{width:1.5rem}.w-full{width:100%}.w-screen{width:100vw}.flex-col{flex-direction:column}.items-center{align-items:center}.justify-center{justify-content:center}.justify-between{justify-content:space-between}.space-y-1>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(.25rem*var(--tw-space-y-reverse));margin-top:calc(.25rem*(1 - var(--tw-space-y-reverse)))}.space-y-4>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(1rem*var(--tw-space-y-reverse));margin-top:calc(1rem*(1 - var(--tw-space-y-reverse)))}.rounded{border-radius:.25rem}.rounded-xl{border-radius:.75rem}.border-2{border-width:2px}.border-black{--tw-border-opacity:1;border-color:rgb(0 0 0/var(--tw-border-opacity))}.bg-blue-500{--tw-bg-opacity:1;background-color:rgb(59 130 246/var(--tw-bg-opacity))}.p-4{padding:1rem}.px-4{padding-left:1rem;padding-right:1rem}.py-2{padding-bottom:.5rem;padding-top:.5rem}.text-2xl{font-size:1.5rem;line-height:2rem}.text-sm{font-size:.875rem;line-height:1.25rem}.text-xl{font-size:1.25rem;line-height:1.75rem}.font-bold{font-weight:700}.text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity))}.hover\:bg-blue-700:hover{--tw-bg-opacity:1;background-color:rgb(29 78 216/var(--tw-bg-opacity))}.dark .dark\:border-white{--tw-border-opacity:1;border-color:rgb(255 255 255/var(--tw-border-opacity))}.dark .dark\:bg-slate-900{--tw-bg-opacity:1;background-color:rgb(15 23 42/var(--tw-bg-opacity))}.dark .dark\:text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity))}@media (min-width:640px){.sm\:w-2\/3{width:66.666667%}}@media (min-width:768px){.md\:h-2\/5{height:40%}.md\:flex-row{flex-direction:row}.md\:text-2xl{font-size:1.5rem;line-height:2rem}.md\:text-lg{font-size:1.125rem;line-height:1.75rem}}@media (min-width:1024px){.lg\:w-1\/2{width:50%}.lg\:text-3xl{font-size:1.875rem;line-height:2.25rem}.lg\:text-xl{font-size:1.25rem;line-height:1.75rem}}@media (min-width:1280px){.xl\:text-4xl{font-size:2.25rem;line-height:2.5rem}}</style>
+</head>
+
+  <body class="h-screen w-screen">
+      <div class="h-full w-full flex flex-col justify-center items-center dark:bg-slate-900 dark:text-white">
+        <div class="flex flex-col justify-between items-center border-2 border-black dark:border-white rounded-xl p-4 h-3/5 md:h-2/5 w-full sm:w-2/3 lg:w-1/2">
+          <div class="fixed p-4 top-0 right-0 dark-mode-toggle"></div>
+          <div class="flex flex-col items-center space-y-4">
+            <svg fill="black" class="h-24 w-24" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="exclamation-triangle" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512" class="warning">
+              <path d="M569.517 440.013C587.975 472.007 564.806 512 527.94 512H48.054c-36.937 0-59.999-40.055-41.577-71.987L246.423 23.985c18.467-32.009 64.72-31.951 83.154 0l239.94 416.028zM288 354c-25.405 0-46 20.595-46 46s20.595 46 46 46 46-20.595 46-46-20.595-46-46-46zm-43.673-165.346l7.418 136c.347 6.364 5.609 11.346 11.982 11.346h48.546c6.373 0 11.635-4.982 11.982-11.346l7.418-136c.375-6.874-5.098-12.654-11.982-12.654h-63.383c-6.884 0-12.356 5.78-11.981 12.654z"></path>
+            </svg>
+            <h1 class="text-xl md:text-2xl lg:text-3xl xl:text-4xl"> CrowdSec Access Forbidden</h1>
+            <p class="lg:text-xl md:text-lg"> You are unable to visit the website.</p>
+            {{if ne .ContactUsURL ""}}
+            <a href="{{.ContactUsURL}}" class="bg-blue-500 hover:bg-blue-700 text-white font-bold py-2 px-4 rounded">
+              Contact Us
+            </a>
+            {{end}}
+          </div>
+          <div class="flex-col md:flex-row text-sm flex items-center">
+            <p>
+              This security check has been powered by
+            </p>
+            <a href="https://crowdsec.net/" target="_blank" rel="noopener" class="flex flex-col items-center">
+              <svg
+              fill="black"
+              width="33.92"
+              height="33.76"
+              viewBox="0 0 254.4 253.2"
+            >
+              <defs>
+                <clipPath id="a">
+                  <path d="M0 52h84v201.2H0zm0 0" />
+                </clipPath>
+                <clipPath id="b">
+                  <path d="M170 52h84.4v201.2H170zm0 0" />
+                </clipPath>
+              </defs>
+              <path
+                d="M59.3 128.4c1.4 2.3 2.5 4.6 3.4 7-1-4.1-2.3-8.1-4.3-12-3.1-6-7.8-5.8-10.7 0-2 4-3.2 8-4.3 12.1 1-2.4 2-4.8 3.4-7.1 3.4-5.8 8.8-6 12.5 0M207.8 128.4a42.9 42.9 0 013.4 7c-1-4.1-2.3-8.1-4.3-12-3.2-6-7.8-5.8-10.7 0-2 4-3.3 8-4.3 12.1.9-2.4 2-4.8 3.4-7.1 3.4-5.8 8.8-6 12.5 0M134.6 92.9c2 3.5 3.6 7 4.8 10.7-1.3-5.4-3-10.6-5.6-15.7-4-7.5-9.7-7.2-13.3 0a75.4 75.4 0 00-5.6 16c1.2-3.8 2.7-7.4 4.7-11 4.1-7.2 10.6-7.5 15 0M43.8 136.8c.9 4.6 3.7 8.3 7.3 9.2 0 2.7 0 5.5.2 8.2.3 3.3.4 6.6 1 9.6.3 2.3 1 2.2 1.3 0 .5-3 .6-6.3 1-9.6l.2-8.2c3.5-1 6.4-4.6 7.2-9.2a17.8 17.8 0 01-9 2.4c-3.5 0-6.6-1-9.2-2.4M192.4 136.8c.8 4.6 3.7 8.3 7.2 9.2 0 2.7 0 5.5.3 8.2.3 3.3.4 6.6 1 9.6.3 2.3.9 2.2 1.2 0 .6-3 .7-6.3 1-9.6.2-2.7.3-5.5.2-8.2 3.6-1 6.4-4.6 7.3-9.2a17.8 17.8 0 01-9.1 2.4c-3.4 0-6.6-1-9.1-2.4M138.3 104.6c-3.1 1.9-7 3-11.3 3-4.3 0-8.2-1.1-11.3-3 1 5.8 4.5 10.3 9 11.5 0 3.4 0 6.8.3 10.2.4 4.1.5 8.2 1.2 12 .4 2.9 1.2 2.7 1.6 0 .7-3.8.8-7.9 1.2-12 .3-3.4.3-6.8.3-10.2 4.5-1.2 8-5.7 9-11.5"
+              />
+              <path
+                d="M51 146c0 2.7.1 5.5.3 8.2.3 3.3.4 6.6 1 9.6.3 2.3 1 2.2 1.3 0 .5-3 .6-6.3 1-9.6l.2-8.2c3.5-1 6.4-4.6 7.2-9.2a17.8 17.8 0 01-9 2.4c-3.5 0-6.6-1-9.2-2.4.9 4.6 3.7 8.3 7.3 9.2M143.9 105c-1.9-.4-3.5-1.2-4.9-2.3 1.4 5.6 2.5 11.3 4 17 1.2 5 2 10 2.4 15 .6 7.8-4.5 14.5-10.9 14.5h-15c-6.4 0-11.5-6.7-11-14.5.5-5 1.3-10 2.6-15 1.3-5.3 2.3-10.5 3.6-15.7-2.2 1.2-4.8 1.9-7.7 2-4.7.1-9.4-.3-14-1-4-.4-6.7-3-8-6.7-1.3-3.4-2-7-3.3-10.4-.5-1.5-1.6-2.8-2.4-4.2-.4-.6-.8-1.2-.9-1.8v-7.8a77 77 0 0124.5-3c6.1 0 12 1 17.8 3.2 4.7 1.7 9.7 1.8 14.4 0 9-3.4 18.2-3.8 27.5-3 4.9.5 9.8 1.6 14.8 2.4v8.2c0 .6-.3 1.5-.7 1.7-2 .9-2.2 2.7-2.7 4.5-.9 3.2-1.8 6.4-2.9 9.5a11 11 0 01-8.8 7.7 40.6 40.6 0 01-18.4-.2m29.4 80.6c-3.2-26.8-6.4-50-8.9-60.7a14.3 14.3 0 0014.1-14h.4a9 9 0 005.6-16.5 14.3 14.3 0 00-3.7-27.2 9 9 0 00-6.9-14.6c2.4-1.1 4.5-3 5.8-5 3.4-5.3 4-29-8-44.4-5-6.3-9.8-2.5-10 1.8-1 13.2-1.1 23-4.5 34.3a9 9 0 00-16-4.1 14.3 14.3 0 00-28.4 0 9 9 0 00-16 4.1c-3.4-11.2-3.5-21.1-4.4-34.3-.3-4.3-5.2-8-10-1.8-12 15.3-11.5 39-8.1 44.4 1.3 2 3.4 3.9 5.8 5a9 9 0 00-7 14.6 14.3 14.3 0 00-3.6 27.2A9 9 0 0075 111h.5a14.5 14.5 0 0014.3 14c-4 17.2-10 66.3-15 111.3l-1.3 13.4a1656.4 1656.4 0 01106.6 0l-1.4-12.7-5.4-51.3"
+              />
+              <g clip-path="url(#a)">
+                <path
+                  d="M83.5 136.6l-2.3.7c-5 1-9.8 1-14.8-.2-1.4-.3-2.7-1-3.8-1.9l3.1 13.7c1 4 1.7 8 2 12 .5 6.3-3.6 11.6-8.7 11.6H46.9c-5.1 0-9.2-5.3-8.7-11.6.3-4 1-8 2-12 1-4.2 1.8-8.5 2.9-12.6-1.8 1-3.9 1.5-6.3 1.6a71 71 0 01-11.1-.7 7.7 7.7 0 01-6.5-5.5c-1-2.7-1.6-5.6-2.6-8.3-.4-1.2-1.3-2.3-2-3.4-.2-.4-.6-1-.6-1.4v-6.3c6.4-2 13-2.6 19.6-2.5 4.9.1 9.6 1 14.2 2.6 3.9 1.4 7.9 1.5 11.7 0 1.8-.7 3.6-1.2 5.5-1.6a13 13 0 01-1.6-15.5A18.3 18.3 0 0159 73.1a11.5 11.5 0 00-17.4 8.1 7.2 7.2 0 00-12.9 3.3c-2.7-9-2.8-17-3.6-27.5-.2-3.4-4-6.5-8-1.4C7.5 67.8 7.9 86.9 10.6 91c1.1 1.7 2.8 3.1 4.7 4a7.2 7.2 0 00-5.6 11.7 11.5 11.5 0 00-2.9 21.9 7.2 7.2 0 004.5 13.2h.3c0 .6 0 1.1.2 1.7.9 5.4 5.6 9.5 11.3 9.5A1177.2 1177.2 0 0010 253.2c18.1-1.5 38.1-2.6 59.5-3.4.4-4.6.8-9.3 1.4-14 1.2-11.6 3.3-30.5 5.7-49.7 2.2-18 4.7-36.3 7-49.5"
+                />
+              </g>
+              <g clip-path="url(#b)">
+                <path
+                  d="M254.4 118.2c0-5.8-4.2-10.5-9.7-11.4a7.2 7.2 0 00-5.6-11.7c2-.9 3.6-2.3 4.7-4 2.7-4.2 3.1-23.3-6.5-35.5-4-5.1-7.8-2-8 1.4-.8 10.5-.9 18.5-3.6 27.5a7.2 7.2 0 00-12.8-3.3 11.5 11.5 0 00-17.8-7.9 18.4 18.4 0 01-4.5 22 13 13 0 01-1.3 15.2c2.4.5 4.8 1 7.1 2 3.8 1.3 7.8 1.4 11.6 0 7.2-2.8 14.6-3 22-2.4 4 .4 7.9 1.2 12 1.9l-.1 6.6c0 .5-.2 1.2-.5 1.3-1.7.7-1.8 2.2-2.2 3.7l-2.3 7.6a8.8 8.8 0 01-7 6.1c-5 1-10 1-14.9-.2-1.5-.3-2.8-1-3.9-1.9 1.2 4.5 2 9.1 3.2 13.7 1 4 1.6 8 2 12 .4 6.3-3.6 11.6-8.8 11.6h-12c-5.2 0-9.3-5.3-8.8-11.6.4-4 1-8 2-12 1-4.2 1.9-8.5 3-12.6-1.8 1-4 1.5-6.3 1.6-3.7 0-7.5-.3-11.2-.7a7.7 7.7 0 01-3.7-1.5c3.1 18.4 7.1 51.2 12.5 100.9l.6 5.3.8 7.9c21.4.7 41.5 1.9 59.7 3.4L243 243l-4.4-41.2a606 606 0 00-7-48.7 11.5 11.5 0 0011.2-11.2h.4a7.2 7.2 0 004.4-13.2c4-1.8 6.8-5.8 6.8-10.5"
+                />
+              </g>
+              <path
+                d="M180 249.6h.4a6946 6946 0 00-7.1-63.9l5.4 51.3 1.4 12.6M164.4 125c2.5 10.7 5.7 33.9 8.9 60.7a570.9 570.9 0 00-8.9-60.7M74.8 236.3l-1.4 13.4 1.4-13.4"
+              />
+            </svg>
+            <span>
+              CrowdSec
+            </span>
+          </a>
+        </div>
+        </div>
+      </div>
+      <script>
+        const moonSvgString = '<svg fill="black" class="h-6 w-6" viewBox="0 0 35 35" data-name="Layer 2" id="Layer_2" xmlns="http://www.w3.org/2000/svg"><path d="M18.44,34.68a18.22,18.22,0,0,1-2.94-.24,18.18,18.18,0,0,1-15-20.86A18.06,18.06,0,0,1,9.59.63,2.42,2.42,0,0,1,12.2.79a2.39,2.39,0,0,1,1,2.41L11.9,3.1l1.23.22A15.66,15.66,0,0,0,23.34,21h0a15.82,15.82,0,0,0,8.47.53A2.44,2.44,0,0,1,34.47,25,18.18,18.18,0,0,1,18.44,34.68ZM10.67,2.89a15.67,15.67,0,0,0-5,22.77A15.66,15.66,0,0,0,32.18,24a18.49,18.49,0,0,1-9.65-.64A18.18,18.18,0,0,1,10.67,2.89Z"/></svg>'
+        const sunSvgString = '<svg class="h-6 w-6" viewBox="0 0 24 24" fill="white" xmlns="http://www.w3.org/2000/svg"><path d="M3 12H5M5.00006 19L7.00006 17M12 19V21M17 17L19 19M5 5L7 7M19 12H21M16.9999 7L18.9999 5M12 3V5M15 12C15 13.6569 13.6569 15 12 15C10.3431 15 9 13.6569 9 12C9 10.3431 10.3431 9 12 9C13.6569 9 15 10.3431 15 12Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/></svg>'
+        const svg = Array.from(document.querySelectorAll('svg'));
+        const button = document.querySelector('.dark-mode-toggle');
+        window.onload = () => {
+          if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {
+            document.body.classList.add('dark');
+            svg.forEach(element => {
+              element.setAttribute('fill', 'white');
+            });
+            button.innerHTML = sunSvgString;
+          } else {
+            button.innerHTML = moonSvgString;
+          }
+          button.addEventListener('click', function() {
+          document.body.classList.toggle('dark');
+          svg.forEach(element => {
+            element.getAttribute('fill') === 'black' ? element.setAttribute('fill', 'white') : element.setAttribute('fill', 'black');
+          });
+          if (document.body.classList.contains('dark')) {
+              button.innerHTML = sunSvgString;
+          } else {
+              button.innerHTML = moonSvgString;
+          }
+      });
+        };
+      </script>
+  </body>
+</html>
+
diff --git a/templates/captcha.tmpl b/templates/captcha.tmpl
new file mode 100644
index 0000000..1494a01
--- /dev/null
+++ b/templates/captcha.tmpl
@@ -0,0 +1,141 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <title>CrowdSec Captcha</title>
+    <meta content="text/html; charset=utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <style>/*! tailwindcss v3.2.7 | MIT License | https://tailwindcss.com*/*,:after,:before{border:0 solid #e5e7eb;box-sizing:border-box}:after,:before{--tw-content:""}html{-webkit-text-size-adjust:100%;font-feature-settings:normal;font-family:ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4}body{line-height:inherit;margin:0}hr{border-top-width:1px;color:inherit;height:0}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,pre,samp{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:initial}sub{bottom:-.25em}sup{top:-.5em}table{border-collapse:collapse;border-color:inherit;text-indent:0}button,input,optgroup,select,textarea{color:inherit;font-family:inherit;font-size:100%;font-weight:inherit;line-height:inherit;margin:0;padding:0}button,select{text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button;background-color:initial;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:initial}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dd,dl,figure,h1,h2,h3,h4,h5,h6,hr,p,pre{margin:0}fieldset{margin:0}fieldset,legend{padding:0}menu,ol,ul{list-style:none;margin:0;padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{color:#9ca3af;opacity:1}input::placeholder,textarea::placeholder{color:#9ca3af;opacity:1}[role=button],button{cursor:pointer}:disabled{cursor:default}audio,canvas,embed,iframe,img,object,svg,video{display:block;vertical-align:middle}img,video{height:auto;max-width:100%}[hidden]{display:none}*,::backdrop,:after,:before{--tw-border-spacing-x:0;--tw-translate-x:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:#3b82f680;--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: }.fixed{position:fixed}.right-0{right:0}.top-0{top:0}.flex{display:flex}.h-24{height:6rem}.h-3\/5{height:60%}.h-6{height:1.5rem}.h-full{height:100%}.h-screen{height:100vh}.w-24{width:6rem}.w-6{width:1.5rem}.w-full{width:100%}.w-screen{width:100vw}.flex-col{flex-direction:column}.items-center{align-items:center}.justify-center{justify-content:center}.justify-between{justify-content:space-between}.space-y-1>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(.25rem*var(--tw-space-y-reverse));margin-top:calc(.25rem*(1 - var(--tw-space-y-reverse)))}.space-y-4>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(1rem*var(--tw-space-y-reverse));margin-top:calc(1rem*(1 - var(--tw-space-y-reverse)))}.rounded{border-radius:.25rem}.rounded-xl{border-radius:.75rem}.border-2{border-width:2px}.border-black{--tw-border-opacity:1;border-color:rgb(0 0 0/var(--tw-border-opacity))}.bg-blue-500{--tw-bg-opacity:1;background-color:rgb(59 130 246/var(--tw-bg-opacity))}.p-4{padding:1rem}.px-4{padding-left:1rem;padding-right:1rem}.py-2{padding-bottom:.5rem;padding-top:.5rem}.text-2xl{font-size:1.5rem;line-height:2rem}.text-sm{font-size:.875rem;line-height:1.25rem}.text-xl{font-size:1.25rem;line-height:1.75rem}.font-bold{font-weight:700}.text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity))}.hover\:bg-blue-700:hover{--tw-bg-opacity:1;background-color:rgb(29 78 216/var(--tw-bg-opacity))}.dark .dark\:border-white{--tw-border-opacity:1;border-color:rgb(255 255 255/var(--tw-border-opacity))}.dark .dark\:bg-slate-900{--tw-bg-opacity:1;background-color:rgb(15 23 42/var(--tw-bg-opacity))}.dark .dark\:text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity))}@media (min-width:640px){.sm\:w-2\/3{width:66.666667%}}@media (min-width:768px){.md\:h-2\/5{height:40%}.md\:flex-row{flex-direction:row}.md\:text-2xl{font-size:1.5rem;line-height:2rem}.md\:text-lg{font-size:1.125rem;line-height:1.75rem}}@media (min-width:1024px){.lg\:w-1\/2{width:50%}.lg\:text-3xl{font-size:1.875rem;line-height:2.25rem}.lg\:text-xl{font-size:1.25rem;line-height:1.75rem}}@media (min-width:1280px){.xl\:text-4xl{font-size:2.25rem;line-height:2.5rem}}</style>
+    <script src="{{.CaptchaFrontendJS}}" async defer></script>
+</head>
+<body class="h-screen w-screen">
+  <div class="h-full w-full flex flex-col justify-center items-center dark:bg-slate-900 dark:text-white">
+    <div class="flex flex-col justify-between items-center border-2 border-black dark:border-white rounded-xl p-4 h-3/5 md:h-2/5 w-full sm:w-2/3 lg:w-1/2">
+      <div class="fixed p-4 top-0 right-0 dark-mode-toggle"></div>
+      <div class="flex flex-col items-center space-y-4">
+        <svg fill="black" class="h-24 w-24" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="exclamation-triangle" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512" class="warning">
+          <path d="M569.517 440.013C587.975 472.007 564.806 512 527.94 512H48.054c-36.937 0-59.999-40.055-41.577-71.987L246.423 23.985c18.467-32.009 64.72-31.951 83.154 0l239.94 416.028zM288 354c-25.405 0-46 20.595-46 46s20.595 46 46 46 46-20.595 46-46-20.595-46-46-46zm-43.673-165.346l7.418 136c.347 6.364 5.609 11.346 11.982 11.346h48.546c6.373 0 11.635-4.982 11.982-11.346l7.418-136c.375-6.874-5.098-12.654-11.982-12.654h-63.383c-6.884 0-12.356 5.78-11.981 12.654z"></path>
+        </svg>
+        <h1 class="text-2xl lg:text-3xl xl:text-4xl">CrowdSec Captcha</h1>
+        <form action="" method="POST" class="flex flex-col space-y-1" id="captcha-form">
+          <div id="captcha" class="{{.CaptchaFrontendKey}}" data-sitekey="{{.CaptchaSiteKey}}" data-callback="captchaCallback"></div>
+        </form>
+      </div>
+      <div class="flex-col md:flex-row text-sm flex items-center">
+        <p>
+          This security check has been powered by
+        </p>
+        <a href="https://crowdsec.net/" target="_blank" rel="noopener" class="flex flex-col items-center">
+          <svg
+          fill="black"
+          width="33.92"
+          height="33.76"
+          viewBox="0 0 254.4 253.2"
+        >
+          <defs>
+            <clipPath id="a">
+              <path d="M0 52h84v201.2H0zm0 0" />
+            </clipPath>
+            <clipPath id="b">
+              <path d="M170 52h84.4v201.2H170zm0 0" />
+            </clipPath>
+          </defs>
+          <path
+            d="M59.3 128.4c1.4 2.3 2.5 4.6 3.4 7-1-4.1-2.3-8.1-4.3-12-3.1-6-7.8-5.8-10.7 0-2 4-3.2 8-4.3 12.1 1-2.4 2-4.8 3.4-7.1 3.4-5.8 8.8-6 12.5 0M207.8 128.4a42.9 42.9 0 013.4 7c-1-4.1-2.3-8.1-4.3-12-3.2-6-7.8-5.8-10.7 0-2 4-3.3 8-4.3 12.1.9-2.4 2-4.8 3.4-7.1 3.4-5.8 8.8-6 12.5 0M134.6 92.9c2 3.5 3.6 7 4.8 10.7-1.3-5.4-3-10.6-5.6-15.7-4-7.5-9.7-7.2-13.3 0a75.4 75.4 0 00-5.6 16c1.2-3.8 2.7-7.4 4.7-11 4.1-7.2 10.6-7.5 15 0M43.8 136.8c.9 4.6 3.7 8.3 7.3 9.2 0 2.7 0 5.5.2 8.2.3 3.3.4 6.6 1 9.6.3 2.3 1 2.2 1.3 0 .5-3 .6-6.3 1-9.6l.2-8.2c3.5-1 6.4-4.6 7.2-9.2a17.8 17.8 0 01-9 2.4c-3.5 0-6.6-1-9.2-2.4M192.4 136.8c.8 4.6 3.7 8.3 7.2 9.2 0 2.7 0 5.5.3 8.2.3 3.3.4 6.6 1 9.6.3 2.3.9 2.2 1.2 0 .6-3 .7-6.3 1-9.6.2-2.7.3-5.5.2-8.2 3.6-1 6.4-4.6 7.3-9.2a17.8 17.8 0 01-9.1 2.4c-3.4 0-6.6-1-9.1-2.4M138.3 104.6c-3.1 1.9-7 3-11.3 3-4.3 0-8.2-1.1-11.3-3 1 5.8 4.5 10.3 9 11.5 0 3.4 0 6.8.3 10.2.4 4.1.5 8.2 1.2 12 .4 2.9 1.2 2.7 1.6 0 .7-3.8.8-7.9 1.2-12 .3-3.4.3-6.8.3-10.2 4.5-1.2 8-5.7 9-11.5"
+          />
+          <path
+            d="M51 146c0 2.7.1 5.5.3 8.2.3 3.3.4 6.6 1 9.6.3 2.3 1 2.2 1.3 0 .5-3 .6-6.3 1-9.6l.2-8.2c3.5-1 6.4-4.6 7.2-9.2a17.8 17.8 0 01-9 2.4c-3.5 0-6.6-1-9.2-2.4.9 4.6 3.7 8.3 7.3 9.2M143.9 105c-1.9-.4-3.5-1.2-4.9-2.3 1.4 5.6 2.5 11.3 4 17 1.2 5 2 10 2.4 15 .6 7.8-4.5 14.5-10.9 14.5h-15c-6.4 0-11.5-6.7-11-14.5.5-5 1.3-10 2.6-15 1.3-5.3 2.3-10.5 3.6-15.7-2.2 1.2-4.8 1.9-7.7 2-4.7.1-9.4-.3-14-1-4-.4-6.7-3-8-6.7-1.3-3.4-2-7-3.3-10.4-.5-1.5-1.6-2.8-2.4-4.2-.4-.6-.8-1.2-.9-1.8v-7.8a77 77 0 0124.5-3c6.1 0 12 1 17.8 3.2 4.7 1.7 9.7 1.8 14.4 0 9-3.4 18.2-3.8 27.5-3 4.9.5 9.8 1.6 14.8 2.4v8.2c0 .6-.3 1.5-.7 1.7-2 .9-2.2 2.7-2.7 4.5-.9 3.2-1.8 6.4-2.9 9.5a11 11 0 01-8.8 7.7 40.6 40.6 0 01-18.4-.2m29.4 80.6c-3.2-26.8-6.4-50-8.9-60.7a14.3 14.3 0 0014.1-14h.4a9 9 0 005.6-16.5 14.3 14.3 0 00-3.7-27.2 9 9 0 00-6.9-14.6c2.4-1.1 4.5-3 5.8-5 3.4-5.3 4-29-8-44.4-5-6.3-9.8-2.5-10 1.8-1 13.2-1.1 23-4.5 34.3a9 9 0 00-16-4.1 14.3 14.3 0 00-28.4 0 9 9 0 00-16 4.1c-3.4-11.2-3.5-21.1-4.4-34.3-.3-4.3-5.2-8-10-1.8-12 15.3-11.5 39-8.1 44.4 1.3 2 3.4 3.9 5.8 5a9 9 0 00-7 14.6 14.3 14.3 0 00-3.6 27.2A9 9 0 0075 111h.5a14.5 14.5 0 0014.3 14c-4 17.2-10 66.3-15 111.3l-1.3 13.4a1656.4 1656.4 0 01106.6 0l-1.4-12.7-5.4-51.3"
+          />
+          <g clip-path="url(#a)">
+            <path
+              d="M83.5 136.6l-2.3.7c-5 1-9.8 1-14.8-.2-1.4-.3-2.7-1-3.8-1.9l3.1 13.7c1 4 1.7 8 2 12 .5 6.3-3.6 11.6-8.7 11.6H46.9c-5.1 0-9.2-5.3-8.7-11.6.3-4 1-8 2-12 1-4.2 1.8-8.5 2.9-12.6-1.8 1-3.9 1.5-6.3 1.6a71 71 0 01-11.1-.7 7.7 7.7 0 01-6.5-5.5c-1-2.7-1.6-5.6-2.6-8.3-.4-1.2-1.3-2.3-2-3.4-.2-.4-.6-1-.6-1.4v-6.3c6.4-2 13-2.6 19.6-2.5 4.9.1 9.6 1 14.2 2.6 3.9 1.4 7.9 1.5 11.7 0 1.8-.7 3.6-1.2 5.5-1.6a13 13 0 01-1.6-15.5A18.3 18.3 0 0159 73.1a11.5 11.5 0 00-17.4 8.1 7.2 7.2 0 00-12.9 3.3c-2.7-9-2.8-17-3.6-27.5-.2-3.4-4-6.5-8-1.4C7.5 67.8 7.9 86.9 10.6 91c1.1 1.7 2.8 3.1 4.7 4a7.2 7.2 0 00-5.6 11.7 11.5 11.5 0 00-2.9 21.9 7.2 7.2 0 004.5 13.2h.3c0 .6 0 1.1.2 1.7.9 5.4 5.6 9.5 11.3 9.5A1177.2 1177.2 0 0010 253.2c18.1-1.5 38.1-2.6 59.5-3.4.4-4.6.8-9.3 1.4-14 1.2-11.6 3.3-30.5 5.7-49.7 2.2-18 4.7-36.3 7-49.5"
+            />
+          </g>
+          <g clip-path="url(#b)">
+            <path
+              d="M254.4 118.2c0-5.8-4.2-10.5-9.7-11.4a7.2 7.2 0 00-5.6-11.7c2-.9 3.6-2.3 4.7-4 2.7-4.2 3.1-23.3-6.5-35.5-4-5.1-7.8-2-8 1.4-.8 10.5-.9 18.5-3.6 27.5a7.2 7.2 0 00-12.8-3.3 11.5 11.5 0 00-17.8-7.9 18.4 18.4 0 01-4.5 22 13 13 0 01-1.3 15.2c2.4.5 4.8 1 7.1 2 3.8 1.3 7.8 1.4 11.6 0 7.2-2.8 14.6-3 22-2.4 4 .4 7.9 1.2 12 1.9l-.1 6.6c0 .5-.2 1.2-.5 1.3-1.7.7-1.8 2.2-2.2 3.7l-2.3 7.6a8.8 8.8 0 01-7 6.1c-5 1-10 1-14.9-.2-1.5-.3-2.8-1-3.9-1.9 1.2 4.5 2 9.1 3.2 13.7 1 4 1.6 8 2 12 .4 6.3-3.6 11.6-8.8 11.6h-12c-5.2 0-9.3-5.3-8.8-11.6.4-4 1-8 2-12 1-4.2 1.9-8.5 3-12.6-1.8 1-4 1.5-6.3 1.6-3.7 0-7.5-.3-11.2-.7a7.7 7.7 0 01-3.7-1.5c3.1 18.4 7.1 51.2 12.5 100.9l.6 5.3.8 7.9c21.4.7 41.5 1.9 59.7 3.4L243 243l-4.4-41.2a606 606 0 00-7-48.7 11.5 11.5 0 0011.2-11.2h.4a7.2 7.2 0 004.4-13.2c4-1.8 6.8-5.8 6.8-10.5"
+            />
+          </g>
+          <path
+            d="M180 249.6h.4a6946 6946 0 00-7.1-63.9l5.4 51.3 1.4 12.6M164.4 125c2.5 10.7 5.7 33.9 8.9 60.7a570.9 570.9 0 00-8.9-60.7M74.8 236.3l-1.4 13.4 1.4-13.4"
+          />
+        </svg>
+        <span>
+          CrowdSec
+        </span>
+      </a>
+    </div>
+    </div>
+  </div>
+  <script>
+    const moonSvgString = '<svg fill="black" class="h-6 w-6" viewBox="0 0 35 35" data-name="Layer 2" id="Layer_2" xmlns="http://www.w3.org/2000/svg"><path d="M18.44,34.68a18.22,18.22,0,0,1-2.94-.24,18.18,18.18,0,0,1-15-20.86A18.06,18.06,0,0,1,9.59.63,2.42,2.42,0,0,1,12.2.79a2.39,2.39,0,0,1,1,2.41L11.9,3.1l1.23.22A15.66,15.66,0,0,0,23.34,21h0a15.82,15.82,0,0,0,8.47.53A2.44,2.44,0,0,1,34.47,25,18.18,18.18,0,0,1,18.44,34.68ZM10.67,2.89a15.67,15.67,0,0,0-5,22.77A15.66,15.66,0,0,0,32.18,24a18.49,18.49,0,0,1-9.65-.64A18.18,18.18,0,0,1,10.67,2.89Z"/></svg>'
+    const sunSvgString = '<svg class="h-6 w-6" viewBox="0 0 24 24" fill="white" xmlns="http://www.w3.org/2000/svg"><path d="M3 12H5M5.00006 19L7.00006 17M12 19V21M17 17L19 19M5 5L7 7M19 12H21M16.9999 7L18.9999 5M12 3V5M15 12C15 13.6569 13.6569 15 12 15C10.3431 15 9 13.6569 9 12C9 10.3431 10.3431 9 12 9C13.6569 9 15 10.3431 15 12Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/></svg>'
+    const svg = Array.from(document.querySelectorAll('svg'));
+    const button = document.querySelector('.dark-mode-toggle');
+    window.onload = () => {
+      if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {
+        document.body.classList.add('dark');
+        svg.forEach(element => {
+          element.setAttribute('fill', 'white');
+        });
+        button.innerHTML = sunSvgString;
+      } else {
+        button.innerHTML = moonSvgString;
+      }
+      button.addEventListener('click', function() {
+        document.body.classList.toggle('dark');
+        svg.forEach(element => {
+          element.getAttribute('fill') === 'black' ? element.setAttribute('fill', 'white') : element.setAttribute('fill', 'black');
+        });
+        if (document.body.classList.contains('dark')) {
+            button.innerHTML = sunSvgString;
+          } else {
+            button.innerHTML = moonSvgString;
+          }
+      });
+    };
+    function captchaCallback () {
+      // More robust captcha callback with multiple validation checks
+      function attemptSubmit(retryCount = 0) {
+        const maxRetries = 10;
+        const form = document.querySelector('#captcha-form');
+        
+        if (!form) {
+          console.error('Captcha form not found');
+          return;
+        }
+        
+        // Check for captcha response field (works for all providers)
+        const responseFields = form.querySelectorAll('input[name$="-response"], textarea[name$="-response"]');
+        let responseFound = false;
+        let responseValue = '';
+        
+        // Check if any response field has a value
+        for (const field of responseFields) {
+          if (field.value && field.value.trim() !== '') {
+            responseFound = true;
+            responseValue = field.value;
+            break;
+          }
+        }
+        
+        if (responseFound) {
+          console.log('Captcha response found, submitting form');
+          form.submit();
+        } else if (retryCount < maxRetries) {
+          // Retry with exponential backoff
+          const delay = Math.min(100 * Math.pow(1.5, retryCount), 2000);
+          console.log(`Captcha response not ready, retrying in ${delay}ms (attempt ${retryCount + 1}/${maxRetries})`);
+          setTimeout(() => attemptSubmit(retryCount + 1), delay);
+        } else {
+          console.error('Captcha response not found after maximum retries, submitting anyway');
+          form.submit(); // Submit anyway as fallback
+        }
+      }
+      
+      // Initial delay to allow captcha providers to initialize
+      setTimeout(() => attemptSubmit(), 200);
+    }
+  </script>
+</body>
+</html>
+

From 642daae41357db4f8e2e7dd83b45322204963e34 Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Tue, 18 Nov 2025 10:31:34 +0000
Subject: [PATCH 2/6] security: remove sensitive header data from logs

Remove full header map from log entry to prevent exposure of sensitive
data such as cookies, authorization tokens, etc. Log only the essential
message that remediation header was not found.
---
 pkg/httptemplate/server.go | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/pkg/httptemplate/server.go b/pkg/httptemplate/server.go
index 7882351..437e169 100644
--- a/pkg/httptemplate/server.go
+++ b/pkg/httptemplate/server.go
@@ -116,11 +116,8 @@ func (s *Server) handleRender(w http.ResponseWriter, r *http.Request) {
 	// HAProxy configuration should use del-header before set-header to ensure user values are ignored
 	remediation := r.Header.Get("X-Crowdsec-Remediation")
 	if remediation == "" {
-		s.logger.WithFields(log.Fields{
-			"remote_addr": r.RemoteAddr,
-			"headers":     r.Header,
-		}).Warn("X-CrowdSec-Remediation header not found, returning 400")
-		http.Error(w, "Bad Request: Missing X-CrowdSec-Remediation header", http.StatusBadRequest)
+		s.logger.Warn("X-Crowdsec-Remediation header not found, returning 400")
+		http.Error(w, "Bad Request: Missing X-Crowdsec-Remediation header", http.StatusBadRequest)
 		return
 	}
 

From 4c0742ccce37913b787da57e6dbb705c5863fe4a Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Tue, 18 Nov 2025 13:57:26 +0000
Subject: [PATCH 3/6] feat: return 403 for HEAD requests and .ico files

Return 403 Forbidden for HEAD requests and favicon (.ico) file requests
instead of rendering templates. This prevents unnecessary template rendering
for these request types and provides a cleaner response.
---
 pkg/httptemplate/server.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/httptemplate/server.go b/pkg/httptemplate/server.go
index 437e169..5edc300 100644
--- a/pkg/httptemplate/server.go
+++ b/pkg/httptemplate/server.go
@@ -183,8 +183,8 @@ func (s *Server) handleRender(w http.ResponseWriter, r *http.Request) {
 	// Set headers
 	w.Header().Set("Cache-Control", "no-cache, no-store")
 
-	// For HEAD requests, always return 403 for ban and captcha remediations
-	if r.Method == http.MethodHead {
+	// For HEAD requests or .ico file requests, always return 403 for ban and captcha remediations
+	if r.Method == http.MethodHead || strings.HasSuffix(strings.ToLower(r.URL.Path), ".ico") {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}

From 1edcca16c7d4f5b30e844fa9369c55b164b5b076 Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Tue, 25 Nov 2025 11:03:05 +0000
Subject: [PATCH 4/6] fix: address Copilot PR review comments

- Fix duplicate class attributes in ban.tmpl and captcha.tmpl
- Update meta charset to HTML5 syntax in both templates
- Fix indentation inconsistencies in templates and haproxy config
- Move HTTP template server startup after hosts are loaded
- Remove redundant error check in httptemplate server
- Fix comment typo: X-CrowdSec -> X-Crowdsec
- Add template name parameter to NewRenderer for better error messages
- Remove unnecessary template volume mount from docker-compose
---
 cmd/root.go                     | 17 ++++++++++-------
 config/haproxy-httptemplate.cfg | 10 +++++-----
 pkg/httptemplate/server.go      | 10 +++-------
 pkg/template/renderer.go        |  9 ++++++---
 templates/ban.tmpl              | 24 ++++++++++++------------
 templates/captcha.tmpl          | 14 +++++++-------
 6 files changed, 43 insertions(+), 41 deletions(-)

diff --git a/cmd/root.go b/cmd/root.go
index 746649e..5034db8 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -179,7 +179,7 @@ func Execute() error {
 		}
 	}
 
-	// Create and start HTTP template server if enabled (after HostManager is created)
+	// Create HTTP template server if enabled (after HostManager is created, but before starting)
 	var httpTemplateServer *httptemplate.Server
 	if config.HTTPTemplateServer.Enabled {
 		httpTemplateLogger := log.WithField("component", "http_template_server")
@@ -188,7 +188,16 @@ func Execute() error {
 		if err != nil {
 			return fmt.Errorf("failed to create HTTP template server: %w", err)
 		}
+	}
+
+	if config.HostsDir != "" {
+		if err := HostManager.LoadFromDirectory(config.HostsDir); err != nil {
+			return fmt.Errorf("failed to load hosts from directory: %w", err)
+		}
+	}
 
+	// Start HTTP template server after hosts are loaded to ensure host configurations are available
+	if httpTemplateServer != nil {
 		g.Go(func() error {
 			if err := httpTemplateServer.Serve(ctx); err != nil {
 				return fmt.Errorf("HTTP template server failed: %w", err)
@@ -197,12 +206,6 @@ func Execute() error {
 		})
 	}
 
-	if config.HostsDir != "" {
-		if err := HostManager.LoadFromDirectory(config.HostsDir); err != nil {
-			return fmt.Errorf("failed to load hosts from directory: %w", err)
-		}
-	}
-
 	// Create single SPOA listener - ultra-simplified architecture
 	spoaLogger := log.WithField("component", "spoa")
 
diff --git a/config/haproxy-httptemplate.cfg b/config/haproxy-httptemplate.cfg
index fba1435..48019f1 100644
--- a/config/haproxy-httptemplate.cfg
+++ b/config/haproxy-httptemplate.cfg
@@ -9,11 +9,11 @@ defaults
     log global
     option httplog
     timeout client 1m
-	timeout server 1m
-	timeout connect 10s
-	timeout http-keep-alive 2m
-	timeout queue 15s
-	timeout tunnel 4h  # for websocket
+    timeout server 1m
+    timeout connect 10s
+    timeout http-keep-alive 2m
+    timeout queue 15s
+    timeout tunnel 4h  # for websocket
 
 frontend test
     mode http
diff --git a/pkg/httptemplate/server.go b/pkg/httptemplate/server.go
index 5edc300..e30dc3a 100644
--- a/pkg/httptemplate/server.go
+++ b/pkg/httptemplate/server.go
@@ -98,7 +98,7 @@ func (s *Server) loadTemplate(name, path string) (*template.Renderer, error) {
 		return nil, fmt.Errorf("failed to read template file %s: %w", templatePath, err)
 	}
 
-	renderer, err := template.NewRenderer(string(content))
+	renderer, err := template.NewRenderer(name, string(content))
 	if err != nil {
 		return nil, fmt.Errorf("failed to create renderer: %w", err)
 	}
@@ -108,7 +108,7 @@ func (s *Server) loadTemplate(name, path string) (*template.Renderer, error) {
 }
 
 // handleRender is the main endpoint that handles both ban and captcha rendering
-// It reads the remediation type from X-CrowdSec-Remediation header (set by HAProxy)
+// It reads the remediation type from X-Crowdsec-Remediation header (set by HAProxy)
 // It looks up host configuration using the Host header to get ban/captcha settings
 // Security: HAProxy must delete any user-provided headers and set them from transaction variables
 func (s *Server) handleRender(w http.ResponseWriter, r *http.Request) {
@@ -162,11 +162,7 @@ func (s *Server) handleRender(w http.ResponseWriter, r *http.Request) {
 		renderer = s.banRenderer
 		statusCode = http.StatusForbidden
 	case "captcha":
-		if matchedHost == nil {
-			s.logger.Error("captcha remediation but no host configuration found")
-			http.Error(w, "Internal Server Error: No host configuration for captcha", http.StatusInternalServerError)
-			return
-		}
+		// matchedHost nil check already done above at line 137-140
 		renderer = s.captchaRenderer
 		statusCode = http.StatusOK
 	case "allow":
diff --git a/pkg/template/renderer.go b/pkg/template/renderer.go
index 28c179f..4692393 100644
--- a/pkg/template/renderer.go
+++ b/pkg/template/renderer.go
@@ -23,10 +23,13 @@ type Renderer struct {
 }
 
 // NewRenderer creates a new template renderer with the given template content
-func NewRenderer(templateContent string) (*Renderer, error) {
-	tmpl, err := template.New("template").Parse(templateContent)
+func NewRenderer(name, templateContent string) (*Renderer, error) {
+	if name == "" {
+		name = "template"
+	}
+	tmpl, err := template.New(name).Parse(templateContent)
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse template: %w", err)
+		return nil, fmt.Errorf("failed to parse template %q: %w", name, err)
 	}
 
 	return &Renderer{
diff --git a/templates/ban.tmpl b/templates/ban.tmpl
index f357f15..1c7865c 100644
--- a/templates/ban.tmpl
+++ b/templates/ban.tmpl
@@ -2,7 +2,7 @@
 <html lang="en">
   <head>
     <title>CrowdSec Ban</title>
-    <meta content="text/html; charset=utf-8" />
+    <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <style>/*! tailwindcss v3.2.7 | MIT License | https://tailwindcss.com*/*,:after,:before{border:0 solid #e5e7eb;box-sizing:border-box}:after,:before{--tw-content:""}html{-webkit-text-size-adjust:100%;font-feature-settings:normal;font-family:ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4}body{line-height:inherit;margin:0}hr{border-top-width:1px;color:inherit;height:0}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,pre,samp{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:initial}sub{bottom:-.25em}sup{top:-.5em}table{border-collapse:collapse;border-color:inherit;text-indent:0}button,input,optgroup,select,textarea{color:inherit;font-family:inherit;font-size:100%;font-weight:inherit;line-height:inherit;margin:0;padding:0}button,select{text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button;background-color:initial;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:initial}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dd,dl,figure,h1,h2,h3,h4,h5,h6,hr,p,pre{margin:0}fieldset{margin:0}fieldset,legend{padding:0}menu,ol,ul{list-style:none;margin:0;padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{color:#9ca3af;opacity:1}input::placeholder,textarea::placeholder{color:#9ca3af;opacity:1}[role=button],button{cursor:pointer}:disabled{cursor:default}audio,canvas,embed,iframe,img,object,svg,video{display:block;vertical-align:middle}img,video{height:auto;max-width:100%}[hidden]{display:none}*,::backdrop,:after,:before{--tw-border-spacing-x:0;--tw-translate-x:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:#3b82f680;--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: }.fixed{position:fixed}.right-0{right:0}.top-0{top:0}.flex{display:flex}.h-24{height:6rem}.h-3\/5{height:60%}.h-6{height:1.5rem}.h-full{height:100%}.h-screen{height:100vh}.w-24{width:6rem}.w-6{width:1.5rem}.w-full{width:100%}.w-screen{width:100vw}.flex-col{flex-direction:column}.items-center{align-items:center}.justify-center{justify-content:center}.justify-between{justify-content:space-between}.space-y-1>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(.25rem*var(--tw-space-y-reverse));margin-top:calc(.25rem*(1 - var(--tw-space-y-reverse)))}.space-y-4>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(1rem*var(--tw-space-y-reverse));margin-top:calc(1rem*(1 - var(--tw-space-y-reverse)))}.rounded{border-radius:.25rem}.rounded-xl{border-radius:.75rem}.border-2{border-width:2px}.border-black{--tw-border-opacity:1;border-color:rgb(0 0 0/var(--tw-border-opacity))}.bg-blue-500{--tw-bg-opacity:1;background-color:rgb(59 130 246/var(--tw-bg-opacity))}.p-4{padding:1rem}.px-4{padding-left:1rem;padding-right:1rem}.py-2{padding-bottom:.5rem;padding-top:.5rem}.text-2xl{font-size:1.5rem;line-height:2rem}.text-sm{font-size:.875rem;line-height:1.25rem}.text-xl{font-size:1.25rem;line-height:1.75rem}.font-bold{font-weight:700}.text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity))}.hover\:bg-blue-700:hover{--tw-bg-opacity:1;background-color:rgb(29 78 216/var(--tw-bg-opacity))}.dark .dark\:border-white{--tw-border-opacity:1;border-color:rgb(255 255 255/var(--tw-border-opacity))}.dark .dark\:bg-slate-900{--tw-bg-opacity:1;background-color:rgb(15 23 42/var(--tw-bg-opacity))}.dark .dark\:text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity))}@media (min-width:640px){.sm\:w-2\/3{width:66.666667%}}@media (min-width:768px){.md\:h-2\/5{height:40%}.md\:flex-row{flex-direction:row}.md\:text-2xl{font-size:1.5rem;line-height:2rem}.md\:text-lg{font-size:1.125rem;line-height:1.75rem}}@media (min-width:1024px){.lg\:w-1\/2{width:50%}.lg\:text-3xl{font-size:1.875rem;line-height:2.25rem}.lg\:text-xl{font-size:1.25rem;line-height:1.75rem}}@media (min-width:1280px){.xl\:text-4xl{font-size:2.25rem;line-height:2.5rem}}</style>
 </head>
@@ -12,7 +12,7 @@
         <div class="flex flex-col justify-between items-center border-2 border-black dark:border-white rounded-xl p-4 h-3/5 md:h-2/5 w-full sm:w-2/3 lg:w-1/2">
           <div class="fixed p-4 top-0 right-0 dark-mode-toggle"></div>
           <div class="flex flex-col items-center space-y-4">
-            <svg fill="black" class="h-24 w-24" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="exclamation-triangle" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512" class="warning">
+            <svg fill="black" class="h-24 w-24 warning" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="exclamation-triangle" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512">
               <path d="M569.517 440.013C587.975 472.007 564.806 512 527.94 512H48.054c-36.937 0-59.999-40.055-41.577-71.987L246.423 23.985c18.467-32.009 64.72-31.951 83.154 0l239.94 416.028zM288 354c-25.405 0-46 20.595-46 46s20.595 46 46 46 46-20.595 46-46-20.595-46-46-46zm-43.673-165.346l7.418 136c.347 6.364 5.609 11.346 11.982 11.346h48.546c6.373 0 11.635-4.982 11.982-11.346l7.418-136c.375-6.874-5.098-12.654-11.982-12.654h-63.383c-6.884 0-12.356 5.78-11.981 12.654z"></path>
             </svg>
             <h1 class="text-xl md:text-2xl lg:text-3xl xl:text-4xl"> CrowdSec Access Forbidden</h1>
@@ -66,9 +66,9 @@
               CrowdSec
             </span>
           </a>
-        </div>
-        </div>
       </div>
+      </div>
+    </div>
       <script>
         const moonSvgString = '<svg fill="black" class="h-6 w-6" viewBox="0 0 35 35" data-name="Layer 2" id="Layer_2" xmlns="http://www.w3.org/2000/svg"><path d="M18.44,34.68a18.22,18.22,0,0,1-2.94-.24,18.18,18.18,0,0,1-15-20.86A18.06,18.06,0,0,1,9.59.63,2.42,2.42,0,0,1,12.2.79a2.39,2.39,0,0,1,1,2.41L11.9,3.1l1.23.22A15.66,15.66,0,0,0,23.34,21h0a15.82,15.82,0,0,0,8.47.53A2.44,2.44,0,0,1,34.47,25,18.18,18.18,0,0,1,18.44,34.68ZM10.67,2.89a15.67,15.67,0,0,0-5,22.77A15.66,15.66,0,0,0,32.18,24a18.49,18.49,0,0,1-9.65-.64A18.18,18.18,0,0,1,10.67,2.89Z"/></svg>'
         const sunSvgString = '<svg class="h-6 w-6" viewBox="0 0 24 24" fill="white" xmlns="http://www.w3.org/2000/svg"><path d="M3 12H5M5.00006 19L7.00006 17M12 19V21M17 17L19 19M5 5L7 7M19 12H21M16.9999 7L18.9999 5M12 3V5M15 12C15 13.6569 13.6569 15 12 15C10.3431 15 9 13.6569 9 12C9 10.3431 10.3431 9 12 9C13.6569 9 15 10.3431 15 12Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/></svg>'
@@ -85,16 +85,16 @@
             button.innerHTML = moonSvgString;
           }
           button.addEventListener('click', function() {
-          document.body.classList.toggle('dark');
-          svg.forEach(element => {
-            element.getAttribute('fill') === 'black' ? element.setAttribute('fill', 'white') : element.setAttribute('fill', 'black');
-          });
-          if (document.body.classList.contains('dark')) {
+            document.body.classList.toggle('dark');
+            svg.forEach(element => {
+              element.getAttribute('fill') === 'black' ? element.setAttribute('fill', 'white') : element.setAttribute('fill', 'black');
+            });
+            if (document.body.classList.contains('dark')) {
               button.innerHTML = sunSvgString;
-          } else {
+            } else {
               button.innerHTML = moonSvgString;
-          }
-      });
+            }
+          });
         };
       </script>
   </body>
diff --git a/templates/captcha.tmpl b/templates/captcha.tmpl
index 1494a01..685c72e 100644
--- a/templates/captcha.tmpl
+++ b/templates/captcha.tmpl
@@ -2,7 +2,7 @@
 <html lang="en">
   <head>
     <title>CrowdSec Captcha</title>
-    <meta content="text/html; charset=utf-8" />
+    <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <style>/*! tailwindcss v3.2.7 | MIT License | https://tailwindcss.com*/*,:after,:before{border:0 solid #e5e7eb;box-sizing:border-box}:after,:before{--tw-content:""}html{-webkit-text-size-adjust:100%;font-feature-settings:normal;font-family:ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4}body{line-height:inherit;margin:0}hr{border-top-width:1px;color:inherit;height:0}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,pre,samp{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:initial}sub{bottom:-.25em}sup{top:-.5em}table{border-collapse:collapse;border-color:inherit;text-indent:0}button,input,optgroup,select,textarea{color:inherit;font-family:inherit;font-size:100%;font-weight:inherit;line-height:inherit;margin:0;padding:0}button,select{text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button;background-color:initial;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:initial}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dd,dl,figure,h1,h2,h3,h4,h5,h6,hr,p,pre{margin:0}fieldset{margin:0}fieldset,legend{padding:0}menu,ol,ul{list-style:none;margin:0;padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{color:#9ca3af;opacity:1}input::placeholder,textarea::placeholder{color:#9ca3af;opacity:1}[role=button],button{cursor:pointer}:disabled{cursor:default}audio,canvas,embed,iframe,img,object,svg,video{display:block;vertical-align:middle}img,video{height:auto;max-width:100%}[hidden]{display:none}*,::backdrop,:after,:before{--tw-border-spacing-x:0;--tw-translate-x:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:#3b82f680;--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: }.fixed{position:fixed}.right-0{right:0}.top-0{top:0}.flex{display:flex}.h-24{height:6rem}.h-3\/5{height:60%}.h-6{height:1.5rem}.h-full{height:100%}.h-screen{height:100vh}.w-24{width:6rem}.w-6{width:1.5rem}.w-full{width:100%}.w-screen{width:100vw}.flex-col{flex-direction:column}.items-center{align-items:center}.justify-center{justify-content:center}.justify-between{justify-content:space-between}.space-y-1>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(.25rem*var(--tw-space-y-reverse));margin-top:calc(.25rem*(1 - var(--tw-space-y-reverse)))}.space-y-4>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(1rem*var(--tw-space-y-reverse));margin-top:calc(1rem*(1 - var(--tw-space-y-reverse)))}.rounded{border-radius:.25rem}.rounded-xl{border-radius:.75rem}.border-2{border-width:2px}.border-black{--tw-border-opacity:1;border-color:rgb(0 0 0/var(--tw-border-opacity))}.bg-blue-500{--tw-bg-opacity:1;background-color:rgb(59 130 246/var(--tw-bg-opacity))}.p-4{padding:1rem}.px-4{padding-left:1rem;padding-right:1rem}.py-2{padding-bottom:.5rem;padding-top:.5rem}.text-2xl{font-size:1.5rem;line-height:2rem}.text-sm{font-size:.875rem;line-height:1.25rem}.text-xl{font-size:1.25rem;line-height:1.75rem}.font-bold{font-weight:700}.text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity))}.hover\:bg-blue-700:hover{--tw-bg-opacity:1;background-color:rgb(29 78 216/var(--tw-bg-opacity))}.dark .dark\:border-white{--tw-border-opacity:1;border-color:rgb(255 255 255/var(--tw-border-opacity))}.dark .dark\:bg-slate-900{--tw-bg-opacity:1;background-color:rgb(15 23 42/var(--tw-bg-opacity))}.dark .dark\:text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity))}@media (min-width:640px){.sm\:w-2\/3{width:66.666667%}}@media (min-width:768px){.md\:h-2\/5{height:40%}.md\:flex-row{flex-direction:row}.md\:text-2xl{font-size:1.5rem;line-height:2rem}.md\:text-lg{font-size:1.125rem;line-height:1.75rem}}@media (min-width:1024px){.lg\:w-1\/2{width:50%}.lg\:text-3xl{font-size:1.875rem;line-height:2.25rem}.lg\:text-xl{font-size:1.25rem;line-height:1.75rem}}@media (min-width:1280px){.xl\:text-4xl{font-size:2.25rem;line-height:2.5rem}}</style>
     <script src="{{.CaptchaFrontendJS}}" async defer></script>
@@ -12,7 +12,7 @@
     <div class="flex flex-col justify-between items-center border-2 border-black dark:border-white rounded-xl p-4 h-3/5 md:h-2/5 w-full sm:w-2/3 lg:w-1/2">
       <div class="fixed p-4 top-0 right-0 dark-mode-toggle"></div>
       <div class="flex flex-col items-center space-y-4">
-        <svg fill="black" class="h-24 w-24" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="exclamation-triangle" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512" class="warning">
+        <svg fill="black" class="h-24 w-24 warning" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="exclamation-triangle" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512">
           <path d="M569.517 440.013C587.975 472.007 564.806 512 527.94 512H48.054c-36.937 0-59.999-40.055-41.577-71.987L246.423 23.985c18.467-32.009 64.72-31.951 83.154 0l239.94 416.028zM288 354c-25.405 0-46 20.595-46 46s20.595 46 46 46 46-20.595 46-46-20.595-46-46-46zm-43.673-165.346l7.418 136c.347 6.364 5.609 11.346 11.982 11.346h48.546c6.373 0 11.635-4.982 11.982-11.346l7.418-136c.375-6.874-5.098-12.654-11.982-12.654h-63.383c-6.884 0-12.356 5.78-11.981 12.654z"></path>
         </svg>
         <h1 class="text-2xl lg:text-3xl xl:text-4xl">CrowdSec Captcha</h1>
@@ -63,7 +63,7 @@
           CrowdSec
         </span>
       </a>
-    </div>
+      </div>
     </div>
   </div>
   <script>
@@ -87,10 +87,10 @@
           element.getAttribute('fill') === 'black' ? element.setAttribute('fill', 'white') : element.setAttribute('fill', 'black');
         });
         if (document.body.classList.contains('dark')) {
-            button.innerHTML = sunSvgString;
-          } else {
-            button.innerHTML = moonSvgString;
-          }
+          button.innerHTML = sunSvgString;
+        } else {
+          button.innerHTML = moonSvgString;
+        }
       });
     };
     function captchaCallback () {

From 66727ab98b83bbfcaaafba79eaf2ca602093b5e6 Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Tue, 25 Nov 2025 11:11:25 +0000
Subject: [PATCH 5/6] fix: use parallel shutdown for services with shared
 timeout

- Shutdown SPOA and HTTP template server in parallel
- Both services share a single 5-second timeout context
- Maximum total shutdown time is 5 seconds (not 10)
- Simplified logging to avoid duplicate messages
---
 cmd/root.go | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/cmd/root.go b/cmd/root.go
index 5034db8..7e72fe7 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -241,21 +241,29 @@ func Execute() error {
 		err = nil
 	}
 
-	// Shutdown SPOA server gracefully after all goroutines finish
-	log.Info("Shutting down SPOA listener")
+	// Shutdown services gracefully in parallel after all goroutines finish
+	// Both services share a single 5-second timeout window
+	log.Info("Shutting down services")
 	shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	if shutdownErr := singleSpoa.Shutdown(shutdownCtx); shutdownErr != nil {
-		log.Errorf("Failed to shutdown SPOA: %v", shutdownErr)
-	}
+	shutdownGroup, shutdownCtx := errgroup.WithContext(shutdownCtx)
+
+	// Shutdown SPOA in parallel
+	shutdownGroup.Go(func() error {
+		return singleSpoa.Shutdown(shutdownCtx)
+	})
 
-	// Shutdown HTTP template server if it was started
+	// Shutdown HTTP template server in parallel if it was started
 	if httpTemplateServer != nil {
-		log.Info("Shutting down HTTP template server")
-		if shutdownErr := httpTemplateServer.Shutdown(shutdownCtx); shutdownErr != nil {
-			log.Errorf("Failed to shutdown HTTP template server: %v", shutdownErr)
-		}
+		shutdownGroup.Go(func() error {
+			return httpTemplateServer.Shutdown(shutdownCtx)
+		})
+	}
+
+	// Wait for both shutdowns to complete (or timeout)
+	if shutdownErr := shutdownGroup.Wait(); shutdownErr != nil {
+		log.Errorf("Failed to shutdown services gracefully: %v", shutdownErr)
 	}
 
 	return err

From ca65bcc1e7402e5227dc223a0cb92d70073091a3 Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Tue, 25 Nov 2025 11:18:48 +0000
Subject: [PATCH 6/6] fix: address all Copilot security and code quality issues

Security fixes:
- Switch from text/template to html/template for XSS protection
- Add host header validation (length and invalid character checks)
- Add TLS certificate/key file existence validation
- Buffer template rendering before WriteHeader to handle errors properly

Code quality improvements:
- Remove unnecessary Array.from() in JavaScript (NodeList is iterable)
- Update meta charset to HTML5 syntax in all templates
- Fix duplicate class attributes in SVG elements
- Improve comment clarity and accuracy
- Update HAProxy config comment for clarity

Template consistency:
- Apply all fixes to both .tmpl and .html template files
- Ensure Lua-based and HTTP template server use consistent templates
---
 config/haproxy-httptemplate.cfg |  2 +-
 pkg/cfg/config.go               |  7 +++++++
 pkg/httptemplate/server.go      | 36 ++++++++++++++++++++++++++-------
 pkg/template/renderer.go        |  5 +++--
 templates/ban.html              |  6 +++---
 templates/ban.tmpl              |  2 +-
 templates/captcha.html          |  6 +++---
 templates/captcha.tmpl          |  2 +-
 8 files changed, 48 insertions(+), 18 deletions(-)

diff --git a/config/haproxy-httptemplate.cfg b/config/haproxy-httptemplate.cfg
index 48019f1..a2a5e35 100644
--- a/config/haproxy-httptemplate.cfg
+++ b/config/haproxy-httptemplate.cfg
@@ -44,7 +44,7 @@ frontend test
     ## Route to HTTP template server for ban and captcha remediations
     ## Instead of using Lua, we proxy to the HTTP template server
     ## The server uses a catch-all route, so no path rewriting is needed
-    ## Use OR operator (||) to combine ACLs for cleaner configuration
+    ## Use logical OR (||) to route to backend if ban OR captcha remediation
     use_backend http_template_server if is_ban || is_captcha
 
     ## Handle captcha cookie management via HAProxy
diff --git a/pkg/cfg/config.go b/pkg/cfg/config.go
index 8faacec..ef36184 100644
--- a/pkg/cfg/config.go
+++ b/pkg/cfg/config.go
@@ -3,6 +3,7 @@ package cfg
 import (
 	"fmt"
 	"io"
+	"os"
 
 	"gopkg.in/yaml.v2"
 
@@ -101,9 +102,15 @@ func (c *BouncerConfig) Validate() error {
 			if c.HTTPTemplateServer.TLS.CertFile == "" {
 				return fmt.Errorf("http_template_server.tls.cert_file is required when http_template_server.tls.enabled is true")
 			}
+			if _, err := os.Stat(c.HTTPTemplateServer.TLS.CertFile); err != nil {
+				return fmt.Errorf("http_template_server.tls.cert_file does not exist or is not accessible: %w", err)
+			}
 			if c.HTTPTemplateServer.TLS.KeyFile == "" {
 				return fmt.Errorf("http_template_server.tls.key_file is required when http_template_server.tls.enabled is true")
 			}
+			if _, err := os.Stat(c.HTTPTemplateServer.TLS.KeyFile); err != nil {
+				return fmt.Errorf("http_template_server.tls.key_file does not exist or is not accessible: %w", err)
+			}
 		}
 	}
 
diff --git a/pkg/httptemplate/server.go b/pkg/httptemplate/server.go
index e30dc3a..7de20e4 100644
--- a/pkg/httptemplate/server.go
+++ b/pkg/httptemplate/server.go
@@ -1,6 +1,7 @@
 package httptemplate
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"net"
@@ -122,6 +123,8 @@ func (s *Server) handleRender(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Get hostname from Host header (HAProxy forwards the original Host header)
+	// Security: Validate hostname to prevent header manipulation attacks
+	// Note: This assumes HAProxy properly sanitizes headers, but we add defense in depth
 	hostname := r.Host
 	if hostname == "" {
 		s.logger.Warn("Host header not found, cannot match host configuration")
@@ -129,6 +132,19 @@ func (s *Server) handleRender(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Validate hostname: check for invalid characters and reasonable length
+	// This prevents potential header injection or manipulation attacks
+	if len(hostname) > 253 { // Max DNS hostname length
+		s.logger.WithField("hostname_length", len(hostname)).Warn("Host header too long, rejecting")
+		http.Error(w, "Bad Request: Invalid Host header", http.StatusBadRequest)
+		return
+	}
+	if strings.ContainsAny(hostname, "\r\n\t") {
+		s.logger.WithField("hostname", hostname).Warn("Host header contains invalid characters, rejecting")
+		http.Error(w, "Bad Request: Invalid Host header", http.StatusBadRequest)
+		return
+	}
+
 	// Look up host configuration
 	matchedHost := s.hostManager.MatchFirstHost(hostname)
 	if matchedHost == nil {
@@ -162,7 +178,7 @@ func (s *Server) handleRender(w http.ResponseWriter, r *http.Request) {
 		renderer = s.banRenderer
 		statusCode = http.StatusForbidden
 	case "captcha":
-		// matchedHost nil check already done above at line 137-140
+		// matchedHost nil check for captcha already done above at lines 137-140
 		renderer = s.captchaRenderer
 		statusCode = http.StatusOK
 	case "allow":
@@ -195,15 +211,21 @@ func (s *Server) handleRender(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	w.WriteHeader(statusCode)
-
-	// Render template directly to response writer
-	if err := renderer.Render(w, data); err != nil {
+	// Buffer template output before writing headers to ensure we can send proper error response
+	// if rendering fails
+	var buf bytes.Buffer
+	if err := renderer.Render(&buf, data); err != nil {
 		s.logger.WithError(err).Error("failed to render template")
-		// Headers already sent, can't send error response
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
 		return
 	}
+
+	// Set headers and write buffered content
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.WriteHeader(statusCode)
+	if _, err := w.Write(buf.Bytes()); err != nil {
+		s.logger.WithError(err).Error("failed to write response")
+	}
 }
 
 // buildTemplateData builds template data from host configuration
diff --git a/pkg/template/renderer.go b/pkg/template/renderer.go
index 4692393..1f9a4e7 100644
--- a/pkg/template/renderer.go
+++ b/pkg/template/renderer.go
@@ -2,8 +2,8 @@ package template
 
 import (
 	"fmt"
+	"html/template"
 	"io"
-	"text/template"
 )
 
 // TemplateData holds the data for template rendering
@@ -17,7 +17,8 @@ type TemplateData struct {
 	CaptchaFrontendJS  string
 }
 
-// Renderer handles template rendering using Go's native text/template package
+// Renderer handles template rendering using Go's native html/template package
+// html/template provides automatic HTML escaping to prevent XSS attacks
 type Renderer struct {
 	tmpl *template.Template
 }
diff --git a/templates/ban.html b/templates/ban.html
index 12494f4..2c1782d 100644
--- a/templates/ban.html
+++ b/templates/ban.html
@@ -2,7 +2,7 @@
 <html lang="en">
   <head>
     <title>CrowdSec Ban</title>
-    <meta content="text/html; charset=utf-8" />
+    <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <style>/*! tailwindcss v3.2.7 | MIT License | https://tailwindcss.com*/*,:after,:before{border:0 solid #e5e7eb;box-sizing:border-box}:after,:before{--tw-content:""}html{-webkit-text-size-adjust:100%;font-feature-settings:normal;font-family:ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4}body{line-height:inherit;margin:0}hr{border-top-width:1px;color:inherit;height:0}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,pre,samp{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:initial}sub{bottom:-.25em}sup{top:-.5em}table{border-collapse:collapse;border-color:inherit;text-indent:0}button,input,optgroup,select,textarea{color:inherit;font-family:inherit;font-size:100%;font-weight:inherit;line-height:inherit;margin:0;padding:0}button,select{text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button;background-color:initial;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:initial}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dd,dl,figure,h1,h2,h3,h4,h5,h6,hr,p,pre{margin:0}fieldset{margin:0}fieldset,legend{padding:0}menu,ol,ul{list-style:none;margin:0;padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{color:#9ca3af;opacity:1}input::placeholder,textarea::placeholder{color:#9ca3af;opacity:1}[role=button],button{cursor:pointer}:disabled{cursor:default}audio,canvas,embed,iframe,img,object,svg,video{display:block;vertical-align:middle}img,video{height:auto;max-width:100%}[hidden]{display:none}*,::backdrop,:after,:before{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:#3b82f680;--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: }.fixed{position:fixed}.right-0{right:0}.top-0{top:0}.flex{display:flex}.h-24{height:6rem}.h-3\/5{height:60%}.h-6{height:1.5rem}.h-full{height:100%}.h-screen{height:100vh}.w-24{width:6rem}.w-6{width:1.5rem}.w-full{width:100%}.w-screen{width:100vw}.flex-col{flex-direction:column}.items-center{align-items:center}.justify-center{justify-content:center}.justify-between{justify-content:space-between}.space-y-1>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(.25rem*var(--tw-space-y-reverse));margin-top:calc(.25rem*(1 - var(--tw-space-y-reverse)))}.space-y-4>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(1rem*var(--tw-space-y-reverse));margin-top:calc(1rem*(1 - var(--tw-space-y-reverse)))}.rounded{border-radius:.25rem}.rounded-xl{border-radius:.75rem}.border-2{border-width:2px}.border-black{--tw-border-opacity:1;border-color:rgb(0 0 0/var(--tw-border-opacity))}.bg-blue-500{--tw-bg-opacity:1;background-color:rgb(59 130 246/var(--tw-bg-opacity))}.p-4{padding:1rem}.px-4{padding-left:1rem;padding-right:1rem}.py-2{padding-bottom:.5rem;padding-top:.5rem}.text-2xl{font-size:1.5rem;line-height:2rem}.text-sm{font-size:.875rem;line-height:1.25rem}.text-xl{font-size:1.25rem;line-height:1.75rem}.font-bold{font-weight:700}.text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity))}.hover\:bg-blue-700:hover{--tw-bg-opacity:1;background-color:rgb(29 78 216/var(--tw-bg-opacity))}.dark .dark\:border-white{--tw-border-opacity:1;border-color:rgb(255 255 255/var(--tw-border-opacity))}.dark .dark\:bg-slate-900{--tw-bg-opacity:1;background-color:rgb(15 23 42/var(--tw-bg-opacity))}.dark .dark\:text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity))}@media (min-width:640px){.sm\:w-2\/3{width:66.666667%}}@media (min-width:768px){.md\:h-2\/5{height:40%}.md\:flex-row{flex-direction:row}.md\:text-2xl{font-size:1.5rem;line-height:2rem}.md\:text-lg{font-size:1.125rem;line-height:1.75rem}}@media (min-width:1024px){.lg\:w-1\/2{width:50%}.lg\:text-3xl{font-size:1.875rem;line-height:2.25rem}.lg\:text-xl{font-size:1.25rem;line-height:1.75rem}}@media (min-width:1280px){.xl\:text-4xl{font-size:2.25rem;line-height:2.5rem}}</style>
 </head>
@@ -12,7 +12,7 @@
         <div class="flex flex-col justify-between items-center border-2 border-black dark:border-white rounded-xl p-4 h-3/5 md:h-2/5 w-full sm:w-2/3 lg:w-1/2">
           <div class="fixed p-4 top-0 right-0 dark-mode-toggle"></div>
           <div class="flex flex-col items-center space-y-4">
-            <svg fill="black" class="h-24 w-24" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="exclamation-triangle" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512" class="warning">
+            <svg fill="black" class="h-24 w-24 warning" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="exclamation-triangle" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512">
               <path d="M569.517 440.013C587.975 472.007 564.806 512 527.94 512H48.054c-36.937 0-59.999-40.055-41.577-71.987L246.423 23.985c18.467-32.009 64.72-31.951 83.154 0l239.94 416.028zM288 354c-25.405 0-46 20.595-46 46s20.595 46 46 46 46-20.595 46-46-20.595-46-46-46zm-43.673-165.346l7.418 136c.347 6.364 5.609 11.346 11.982 11.346h48.546c6.373 0 11.635-4.982 11.982-11.346l7.418-136c.375-6.874-5.098-12.654-11.982-12.654h-63.383c-6.884 0-12.356 5.78-11.981 12.654z"></path>
             </svg>
             <h1 class="text-xl md:text-2xl lg:text-3xl xl:text-4xl"> CrowdSec Access Forbidden</h1>
@@ -72,7 +72,7 @@ <h1 class="text-xl md:text-2xl lg:text-3xl xl:text-4xl"> CrowdSec Access Forbidd
       <script>
         const moonSvgString = '<svg fill="black" class="h-6 w-6" viewBox="0 0 35 35" data-name="Layer 2" id="Layer_2" xmlns="http://www.w3.org/2000/svg"><path d="M18.44,34.68a18.22,18.22,0,0,1-2.94-.24,18.18,18.18,0,0,1-15-20.86A18.06,18.06,0,0,1,9.59.63,2.42,2.42,0,0,1,12.2.79a2.39,2.39,0,0,1,1,2.41L11.9,3.1l1.23.22A15.66,15.66,0,0,0,23.34,21h0a15.82,15.82,0,0,0,8.47.53A2.44,2.44,0,0,1,34.47,25,18.18,18.18,0,0,1,18.44,34.68ZM10.67,2.89a15.67,15.67,0,0,0-5,22.77A15.66,15.66,0,0,0,32.18,24a18.49,18.49,0,0,1-9.65-.64A18.18,18.18,0,0,1,10.67,2.89Z"/></svg>'
         const sunSvgString = '<svg class="h-6 w-6" viewBox="0 0 24 24" fill="white" xmlns="http://www.w3.org/2000/svg"><path d="M3 12H5M5.00006 19L7.00006 17M12 19V21M17 17L19 19M5 5L7 7M19 12H21M16.9999 7L18.9999 5M12 3V5M15 12C15 13.6569 13.6569 15 12 15C10.3431 15 9 13.6569 9 12C9 10.3431 10.3431 9 12 9C13.6569 9 15 10.3431 15 12Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/></svg>'
-        const svg = Array.from(document.querySelectorAll('svg'));
+        const svg = document.querySelectorAll('svg');
         const button = document.querySelector('.dark-mode-toggle');
         window.onload = () => {
           if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {
diff --git a/templates/ban.tmpl b/templates/ban.tmpl
index 1c7865c..0d71b8d 100644
--- a/templates/ban.tmpl
+++ b/templates/ban.tmpl
@@ -72,7 +72,7 @@
       <script>
         const moonSvgString = '<svg fill="black" class="h-6 w-6" viewBox="0 0 35 35" data-name="Layer 2" id="Layer_2" xmlns="http://www.w3.org/2000/svg"><path d="M18.44,34.68a18.22,18.22,0,0,1-2.94-.24,18.18,18.18,0,0,1-15-20.86A18.06,18.06,0,0,1,9.59.63,2.42,2.42,0,0,1,12.2.79a2.39,2.39,0,0,1,1,2.41L11.9,3.1l1.23.22A15.66,15.66,0,0,0,23.34,21h0a15.82,15.82,0,0,0,8.47.53A2.44,2.44,0,0,1,34.47,25,18.18,18.18,0,0,1,18.44,34.68ZM10.67,2.89a15.67,15.67,0,0,0-5,22.77A15.66,15.66,0,0,0,32.18,24a18.49,18.49,0,0,1-9.65-.64A18.18,18.18,0,0,1,10.67,2.89Z"/></svg>'
         const sunSvgString = '<svg class="h-6 w-6" viewBox="0 0 24 24" fill="white" xmlns="http://www.w3.org/2000/svg"><path d="M3 12H5M5.00006 19L7.00006 17M12 19V21M17 17L19 19M5 5L7 7M19 12H21M16.9999 7L18.9999 5M12 3V5M15 12C15 13.6569 13.6569 15 12 15C10.3431 15 9 13.6569 9 12C9 10.3431 10.3431 9 12 9C13.6569 9 15 10.3431 15 12Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/></svg>'
-        const svg = Array.from(document.querySelectorAll('svg'));
+        const svg = document.querySelectorAll('svg');
         const button = document.querySelector('.dark-mode-toggle');
         window.onload = () => {
           if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {
diff --git a/templates/captcha.html b/templates/captcha.html
index 465cc62..ef25ef2 100644
--- a/templates/captcha.html
+++ b/templates/captcha.html
@@ -2,7 +2,7 @@
 <html lang="en">
   <head>
     <title>CrowdSec Captcha</title>
-    <meta content="text/html; charset=utf-8" />
+    <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <style>/*! tailwindcss v3.2.7 | MIT License | https://tailwindcss.com*/*,:after,:before{border:0 solid #e5e7eb;box-sizing:border-box}:after,:before{--tw-content:""}html{-webkit-text-size-adjust:100%;font-feature-settings:normal;font-family:ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4}body{line-height:inherit;margin:0}hr{border-top-width:1px;color:inherit;height:0}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,pre,samp{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:initial}sub{bottom:-.25em}sup{top:-.5em}table{border-collapse:collapse;border-color:inherit;text-indent:0}button,input,optgroup,select,textarea{color:inherit;font-family:inherit;font-size:100%;font-weight:inherit;line-height:inherit;margin:0;padding:0}button,select{text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button;background-color:initial;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:initial}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dd,dl,figure,h1,h2,h3,h4,h5,h6,hr,p,pre{margin:0}fieldset{margin:0}fieldset,legend{padding:0}menu,ol,ul{list-style:none;margin:0;padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{color:#9ca3af;opacity:1}input::placeholder,textarea::placeholder{color:#9ca3af;opacity:1}[role=button],button{cursor:pointer}:disabled{cursor:default}audio,canvas,embed,iframe,img,object,svg,video{display:block;vertical-align:middle}img,video{height:auto;max-width:100%}[hidden]{display:none}*,::backdrop,:after,:before{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:#3b82f680;--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: }.fixed{position:fixed}.right-0{right:0}.top-0{top:0}.flex{display:flex}.h-24{height:6rem}.h-3\/5{height:60%}.h-6{height:1.5rem}.h-full{height:100%}.h-screen{height:100vh}.w-24{width:6rem}.w-6{width:1.5rem}.w-full{width:100%}.w-screen{width:100vw}.flex-col{flex-direction:column}.items-center{align-items:center}.justify-center{justify-content:center}.justify-between{justify-content:space-between}.space-y-1>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(.25rem*var(--tw-space-y-reverse));margin-top:calc(.25rem*(1 - var(--tw-space-y-reverse)))}.space-y-4>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(1rem*var(--tw-space-y-reverse));margin-top:calc(1rem*(1 - var(--tw-space-y-reverse)))}.rounded{border-radius:.25rem}.rounded-xl{border-radius:.75rem}.border-2{border-width:2px}.border-black{--tw-border-opacity:1;border-color:rgb(0 0 0/var(--tw-border-opacity))}.bg-blue-500{--tw-bg-opacity:1;background-color:rgb(59 130 246/var(--tw-bg-opacity))}.p-4{padding:1rem}.px-4{padding-left:1rem;padding-right:1rem}.py-2{padding-bottom:.5rem;padding-top:.5rem}.text-2xl{font-size:1.5rem;line-height:2rem}.text-sm{font-size:.875rem;line-height:1.25rem}.text-xl{font-size:1.25rem;line-height:1.75rem}.font-bold{font-weight:700}.text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity))}.hover\:bg-blue-700:hover{--tw-bg-opacity:1;background-color:rgb(29 78 216/var(--tw-bg-opacity))}.dark .dark\:border-white{--tw-border-opacity:1;border-color:rgb(255 255 255/var(--tw-border-opacity))}.dark .dark\:bg-slate-900{--tw-bg-opacity:1;background-color:rgb(15 23 42/var(--tw-bg-opacity))}.dark .dark\:text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity))}@media (min-width:640px){.sm\:w-2\/3{width:66.666667%}}@media (min-width:768px){.md\:h-2\/5{height:40%}.md\:flex-row{flex-direction:row}.md\:text-2xl{font-size:1.5rem;line-height:2rem}.md\:text-lg{font-size:1.125rem;line-height:1.75rem}}@media (min-width:1024px){.lg\:w-1\/2{width:50%}.lg\:text-3xl{font-size:1.875rem;line-height:2.25rem}.lg\:text-xl{font-size:1.25rem;line-height:1.75rem}}@media (min-width:1280px){.xl\:text-4xl{font-size:2.25rem;line-height:2.5rem}}</style>
     <script src="{{captcha_frontend_js}}" async defer></script>
@@ -12,7 +12,7 @@
     <div class="flex flex-col justify-between items-center border-2 border-black dark:border-white rounded-xl p-4 h-3/5 md:h-2/5 w-full sm:w-2/3 lg:w-1/2">
       <div class="fixed p-4 top-0 right-0 dark-mode-toggle"></div>
       <div class="flex flex-col items-center space-y-4">
-        <svg fill="black" class="h-24 w-24" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="exclamation-triangle" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512" class="warning">
+        <svg fill="black" class="h-24 w-24 warning" aria-hidden="true" focusable="false" data-prefix="fas" data-icon="exclamation-triangle" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512">
           <path d="M569.517 440.013C587.975 472.007 564.806 512 527.94 512H48.054c-36.937 0-59.999-40.055-41.577-71.987L246.423 23.985c18.467-32.009 64.72-31.951 83.154 0l239.94 416.028zM288 354c-25.405 0-46 20.595-46 46s20.595 46 46 46 46-20.595 46-46-20.595-46-46-46zm-43.673-165.346l7.418 136c.347 6.364 5.609 11.346 11.982 11.346h48.546c6.373 0 11.635-4.982 11.982-11.346l7.418-136c.375-6.874-5.098-12.654-11.982-12.654h-63.383c-6.884 0-12.356 5.78-11.981 12.654z"></path>
         </svg>
         <h1 class="text-2xl lg:text-3xl xl:text-4xl">CrowdSec Captcha</h1>
@@ -69,7 +69,7 @@ <h1 class="text-2xl lg:text-3xl xl:text-4xl">CrowdSec Captcha</h1>
   <script>
     const moonSvgString = '<svg fill="black" class="h-6 w-6" viewBox="0 0 35 35" data-name="Layer 2" id="Layer_2" xmlns="http://www.w3.org/2000/svg"><path d="M18.44,34.68a18.22,18.22,0,0,1-2.94-.24,18.18,18.18,0,0,1-15-20.86A18.06,18.06,0,0,1,9.59.63,2.42,2.42,0,0,1,12.2.79a2.39,2.39,0,0,1,1,2.41L11.9,3.1l1.23.22A15.66,15.66,0,0,0,23.34,21h0a15.82,15.82,0,0,0,8.47.53A2.44,2.44,0,0,1,34.47,25,18.18,18.18,0,0,1,18.44,34.68ZM10.67,2.89a15.67,15.67,0,0,0-5,22.77A15.66,15.66,0,0,0,32.18,24a18.49,18.49,0,0,1-9.65-.64A18.18,18.18,0,0,1,10.67,2.89Z"/></svg>'
     const sunSvgString = '<svg class="h-6 w-6" viewBox="0 0 24 24" fill="white" xmlns="http://www.w3.org/2000/svg"><path d="M3 12H5M5.00006 19L7.00006 17M12 19V21M17 17L19 19M5 5L7 7M19 12H21M16.9999 7L18.9999 5M12 3V5M15 12C15 13.6569 13.6569 15 12 15C10.3431 15 9 13.6569 9 12C9 10.3431 10.3431 9 12 9C13.6569 9 15 10.3431 15 12Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/></svg>'
-    const svg = Array.from(document.querySelectorAll('svg'));
+    const svg = document.querySelectorAll('svg');
     const button = document.querySelector('.dark-mode-toggle');
     window.onload = () => {
       if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {
diff --git a/templates/captcha.tmpl b/templates/captcha.tmpl
index 685c72e..f093130 100644
--- a/templates/captcha.tmpl
+++ b/templates/captcha.tmpl
@@ -69,7 +69,7 @@
   <script>
     const moonSvgString = '<svg fill="black" class="h-6 w-6" viewBox="0 0 35 35" data-name="Layer 2" id="Layer_2" xmlns="http://www.w3.org/2000/svg"><path d="M18.44,34.68a18.22,18.22,0,0,1-2.94-.24,18.18,18.18,0,0,1-15-20.86A18.06,18.06,0,0,1,9.59.63,2.42,2.42,0,0,1,12.2.79a2.39,2.39,0,0,1,1,2.41L11.9,3.1l1.23.22A15.66,15.66,0,0,0,23.34,21h0a15.82,15.82,0,0,0,8.47.53A2.44,2.44,0,0,1,34.47,25,18.18,18.18,0,0,1,18.44,34.68ZM10.67,2.89a15.67,15.67,0,0,0-5,22.77A15.66,15.66,0,0,0,32.18,24a18.49,18.49,0,0,1-9.65-.64A18.18,18.18,0,0,1,10.67,2.89Z"/></svg>'
     const sunSvgString = '<svg class="h-6 w-6" viewBox="0 0 24 24" fill="white" xmlns="http://www.w3.org/2000/svg"><path d="M3 12H5M5.00006 19L7.00006 17M12 19V21M17 17L19 19M5 5L7 7M19 12H21M16.9999 7L18.9999 5M12 3V5M15 12C15 13.6569 13.6569 15 12 15C10.3431 15 9 13.6569 9 12C9 10.3431 10.3431 9 12 9C13.6569 9 15 10.3431 15 12Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/></svg>'
-    const svg = Array.from(document.querySelectorAll('svg'));
+    const svg = document.querySelectorAll('svg');
     const button = document.querySelector('.dark-mode-toggle');
     window.onload = () => {
       if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {