Before adding something you think is "security" to your website, consider how sites that truly require security (e.g., banks, PayPal) implement it.

One trend I've seen lately is sites with "prove you're a human" tests that are so complicated that humans cannot pass them. I just spent 10 minutes trying to get into a website that required that I solve a ridiculous 8-step "puzzle." I gave up after six attempts, with each rep taking over a minute. I'm now canceling my subscription by cutting off their funding. (I can't get into the site to cancel 😄.)

I've never seen a bank require a puzzle to get in. More to the point, given that this particular site had offloaded payment security to trusted third parties (PayPal, Stripe, Shopify), their puzzle was doing nothing except alienating users. There was nothing else on the site that posed any other sort of security risk, and if they were doing this prove-you're-human thing as a form of throttling, that's easy to do without the test. (And don't get me started on sites that have nothing to protect, but demand passwords.)

I'm not sure what the takeaway here is, other than that you should not rely on amateurs to add "security" to your application or website, and most programmers are amateurs in this area. They will add complexity that alienates customers without providing any actual security. In any event, almost all security exploits exploit bugs. For genuine security, prioritize quality.