Custom Recaptcha Domain

[nackler]

Our webserver policy is to disallow external http traffic -- for security reasons. For recaptcha, instead of sending a request to google directly from the webserver, we send an API request to an internal server which initiates the official google recaptcha token request then echoes the response back out to our webserver.

We would be able to use umbraco forms' recaptcha if we could provide an alternate domain via an appsetting that would let us route the recaptcha requests to our internal 'fake' recaptcha server instead.

---

This item has been added to our backlog AB#37614

[nackler]

This question is specifically for Invisible Recaptcha (https://developers.google.com/recaptcha/docs/invisible) where on the server side we take the submitted value from the "g-recaptcha-response" and send it to google (or in this case our own internal google repeating api) on the server side.

[AndyButland]

We have introduced a new setting - VerificationUrl- allowing you to set the URL used for validating the reCAPTCHA response, which will allow you to configure your internal server as the endpoint.

The reCAPTCHA 3 settings with default values now look like:

  "Recaptcha3": {
    "SiteKey": "",
    "PrivateKey": "",
    "Domain": "Google",
    "VerificationUrl": "https://www.google.com/recaptcha/api/siteverify"
  }

This will be available from Forms 13.1.0.

[nackler]

Awesome! Will this work with 'score' based recaptcha, sometimes called 'frictionless' recaptcha which is invisible to the user except for the small recaptcha logo in the bottom right corner of their browser?

[AndyButland]

Yes, that's the one we've applied it to.