I am a little confused about the implementation of google's V3 recaptcha. The docs say that the algorithm decides the users score based on a number of actions. How is it watching those actions if those actions occur when the recaptcha is not being used?
For example, I have users "vote" on various categories. These votes happen on several different pages within a react app and possibly over more than one session. However, the only time that the recaptcha is called is when the user submits the form. Do I need to somehow notify the captcha to watch the voting actions? Does the code need to be imported in all components or on a higher component so that all voting ones have access to it?
Related
I have a website where people can interact with different objects to view specific content. I would like to know which objects get the most interactions by real people. For example there are thumbnails of images and I would like to know when a user clicks on a thumbnail to view an image.
To do this I thought I would create a psql table with thumbnail_id and an IP address, where every single view is stored (to ensure every combination of thumbnail and ip is only counted once and people can't just spam click it).
And so every time a click happens, a post request on a /views endpoint with the thumbnail id attached is made in the background.
The proplem is, some people may be incentivized to create bots to auto click certain images with many different IPs.
So I was wondering if I could use recaptcha v3 to identify real users as opposed to bots which would include a token with every view request.
But I was wondering, would is this too much for my backend to handle (since it would have to talk to googles servers every time anybody views an image, which might be every few seconds for each user and I would be billed while the server waits for a response) or be too expensive, since I have to pay google on every request? Or is there some other obvious problem with this?
I'm asking since I have only ever found recaptcha used for single form validation and never for traffic measurements, even though that seems like a pretty obvious use case.
I am creating an e-commerce API using the Django Rest Framework. The API will handle the following areas:
Databases
User Registration
Permissions
Orders/Payments
There's still one area in which I'm not quite sure how to implement in my project. It's the cart functionality. Would it be better to implement it on the client-side (ex: React/Ember) or on the server-side (i.e. API)?
One scenario that confused me is if the user is logged in in different platforms (ex: Website and mobile app). I want the user to have the same cart on mulitple platforms.
In that particular use case, if you want cart persistence then it must be backend. The reason for this is one being able to have a single source of truth. The phone app and the web app cannot talk to each other unless they have some sort of "common ground" between them.
That's where the API comes in. It will allow both ends to speak to each other by having the API as the single source of truth. See my terrible diagram for a visual.
I'm migrating from Google reCAPTCHA v2 to v3. As they are quite different, I have a question.
I used to place my reCAPTCHA v2 only inside web pages where a form exists, to make users click and avoid bots. That's understood, ok, but with reCAPTCHA v3 there is NOT a checkbox where to click on (reCAPTCHA v3 analyzes the user behaviour and clicks).
So... should I place the reCAPTCHA v3 just in forms pages or should I place it in all and every pages I have (to make recaptcha observe how the user interacts with the web)?
I would disagree with Galzor’s answer. The documentation says that
The score is based on interactions with your site and enables you to take an appropriate action for your site.
It’s “site” and not page. It goes on to say
reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.
To me that last sentence means “every page with analytics on my site” — i.e. every page, whether it has a form on it or not. Which then gives rise to all sorts of privacy concerns, see also here.
Now my question is: what does the “reCAPTCHA verification” refer to? Including the api.js script or executing something or… 🤔
Unfortunately, the docs don’t spell this out clearly.
Addendum
(Feb 2023)
I switched to hCaptcha and their docs are also somewhat unclear. However, their customer service responded with
You should add the script and the DOM container with hCaptcha widget only on the contact form page and then call our /siteverify endpoint to validate the user.
and
Same scenario for second case, add it only on the sign up page and if validated within our side the user should be able to log in.
Based on that response I added the CAPTCHA only to the Contact page of my website and to the Sign Up page of the webapp.
Not sure this would also apply to Google’s CAPTCHA, though.
I dont think it should go into every page. mostly the users will find it too intrusive on all pages. in my opinion use it on page with form only.
we recommend including reCAPTCHA verification on forms or actions as
well as in the background of pages for analytics.
Note: You can execute reCAPTCHA as many times as you'd like with
different actions on the same page.
(https://developers.google.com/recaptcha/docs/v3)
Based on this comment, should I be executing only the grecaptcha.execute function in the background of the page or do I also need to verify that the token is correct, also in the background?
This is in terms of improvement of the recaptcha v3 ML
Thanks
Hi I am interested in using Mix Panel on a web site to track customers events. I would like to know if there is any way to use the api to personalise the web site per customer, similar to segmentation for emails.
I would like to query the api for a singular customer asking whether they have achieved several events.
For example something like
If customer has clicked out and last visit greater than a month ago display a banner advert.
Mixpanel does not seem like a correct tool for the job you describe here.
While theoretically this might be possible (via Mixpanel's HTTP API), this will create unnecessary architectural complexity and add extra latency. If you need to customize your web site per user, store any user state in a database like MySQL or PostgreSQL. This will be both faster and easier.