5

I'm migrating from Google reCAPTCHA v2 to v3. As they are quite different, I have a question.

I used to place my reCAPTCHA v2 only inside web pages where a form exists, to make users click and avoid bots. That's understood, ok, but with reCAPTCHA v3 there is NOT a checkbox where to click on (reCAPTCHA v3 analyzes the user behaviour and clicks).

So... should I place the reCAPTCHA v3 just in forms pages or should I place it in all and every pages I have (to make recaptcha observe how the user interacts with the web)?

Ommadawn
  • 2,450
  • 3
  • 24
  • 48

2 Answers2

8

I would disagree with Galzor’s answer. The documentation says that

The score is based on interactions with your site and enables you to take an appropriate action for your site.

It’s “site” and not page. It goes on to say

reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.

To me that last sentence means “every page with analytics on my site” — i.e. every page, whether it has a form on it or not. Which then gives rise to all sorts of privacy concerns, see also here.

Now my question is: what does the “reCAPTCHA verification” refer to? Including the api.js script or executing something or…

Unfortunately, the docs don’t spell this out clearly.

Addendum

(Feb 2023)

I switched to hCaptcha and their docs are also somewhat unclear. However, their customer service responded with

You should add the script and the DOM container with hCaptcha widget only on the contact form page and then call our /siteverify endpoint to validate the user.

and

Same scenario for second case, add it only on the sign up page and if validated within our side the user should be able to log in.

Based on that response I added the CAPTCHA only to the Contact page of my website and to the Sign Up page of the webapp.

Not sure this would also apply to Google’s CAPTCHA, though.

Jens
  • 8,423
  • 9
  • 58
  • 78
  • thank you for this post. The [recaptchav3 docs](https://developers.google.com/recaptcha/docs/v3) are **bad** and don't provide any very useful examples. I would add that [this topic](https://stackoverflow.com/questions/51507695/google-recaptcha-v3-example-demo), which has been upvoted far too much, provides **bad** answers. Sell your google stock, folks. Their quality is really slipping. – S. Imp Feb 16 '23 at 23:15
-1

I dont think it should go into every page. mostly the users will find it too intrusive on all pages. in my opinion use it on page with form only.

Galzor
  • 825
  • 8
  • 16
  • The basic premise of reCaptcha v3 is that it is not intrusive because it is invisible to the user. Their docs state, "reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion." https://developers.google.com/recaptcha/docs/v3 – Marsellus Jan 23 '23 at 21:55