We have been receiving a lot of spam through our Unbounce landing page and we came across the invisible reCAPTCHA as a potential solution.
As the page is built using Unbounce we aren't able to access the back end code for the page or add custom HTML attributes to the form submit button.
By default Unbounce doesn't use an ID on the form.
So the question is, Would it be possible to integrate invisible reCAPTCHA with limited front end access to the page?
Related
I'm migrating from Google reCAPTCHA v2 to v3. As they are quite different, I have a question.
I used to place my reCAPTCHA v2 only inside web pages where a form exists, to make users click and avoid bots. That's understood, ok, but with reCAPTCHA v3 there is NOT a checkbox where to click on (reCAPTCHA v3 analyzes the user behaviour and clicks).
So... should I place the reCAPTCHA v3 just in forms pages or should I place it in all and every pages I have (to make recaptcha observe how the user interacts with the web)?
I would disagree with Galzor’s answer. The documentation says that
The score is based on interactions with your site and enables you to take an appropriate action for your site.
It’s “site” and not page. It goes on to say
reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.
To me that last sentence means “every page with analytics on my site” — i.e. every page, whether it has a form on it or not. Which then gives rise to all sorts of privacy concerns, see also here.
Now my question is: what does the “reCAPTCHA verification” refer to? Including the api.js script or executing something or… 🤔
Unfortunately, the docs don’t spell this out clearly.
Addendum
(Feb 2023)
I switched to hCaptcha and their docs are also somewhat unclear. However, their customer service responded with
You should add the script and the DOM container with hCaptcha widget only on the contact form page and then call our /siteverify endpoint to validate the user.
and
Same scenario for second case, add it only on the sign up page and if validated within our side the user should be able to log in.
Based on that response I added the CAPTCHA only to the Contact page of my website and to the Sign Up page of the webapp.
Not sure this would also apply to Google’s CAPTCHA, though.
I dont think it should go into every page. mostly the users will find it too intrusive on all pages. in my opinion use it on page with form only.
My question is similar to this. I am loosing ajax updates when navigating back on the browser... I want to know if there a better solution to this problem in ASP.NET MVC (the other answer suggests storing filter value in a hidden input and redoing the updates onLoad)
This is my scenario:
I am working on an e-commerce website. When user comes to the home page, he would see a filter and some advertisements:
The user then uses the filter to refine his search, say he would type shoe and clicks on Go. The Go bottom would send an ajax request to the server and the new advertisements are updated through ajax:
The user clicks on one of the ads and navigate to the ad details page... now if he presses the back button on the browser, he would come back to the home page but will loose the search result which was done by ajax.
Okay, I want to use Google's reCAPTCHA but I don't want the user to click on anything, Just verify that they're not a robot when the page loads. If the visitor is a bot I want to redirect it to a blocking page.
Is it possible? and how can I do it?
My current task: restrict bot activity on a website.
Solution: integrate invisible reCaptcha and fire it on page load. If a user passes the humanity test, website continuous loading, if not user will be challenged.
Can someone help we with advice how to integrate it that way?
I recently posted an answer detailing how to programmatically render and trigger invisible recaptcha for ajax forms. You can read the full answer here. But in short, use api method:
grecaptcha.render() api to render the invisible recaptcha by passing size="invisible"
grecaptcha.getResponse() to check if user has passed the test. It returns a token. If token is empty string, it means user is not verified human yet.
grecaptcha.execute() to programmatically show a challenge to user. You can pass a callback function in options to render() api method which gets called back when user has passed the test.
Google announced Invisible ReCAPTCHA is coming soon. For now, if you want to integrate the new reCAPTCHA to your site or app you can register here.
I do have 2 site keys whitelisted for the new Invisible reCaptcha and I've started "playing" with their examples: see them here https://developers.google.com/recaptcha/docs/invisible
Yes, when the page loads the recaptcha is invisible but when the form is submitted the recaptcha challenge appears all the time. You have to click on images, draw something around something else... etc
I've been testing this on different servers, 2 different sites which have the site key approved to use the Invisible reCaptcha, with different browsers form different locations. Same behavior: Google shows the challenge when the form is submitted on all 3 examples they have on their page.
Is this what we should expect?
Just as with the checkbox, if it can't reliably determine if you aren't a bot, you get a challenge. I can confirm that the invisible part does work when you are detected as a human.
Actually you have to approve the Terms of Service when you create a new reCAPTCHA site, that says that
You agree to explicitly inform visitors to your site that you have implemented the Invisible reCAPTCHA on your site and that their use of the Invisible reCAPTCHA is subject to the Google Privacy Policy and Terms of Use.