Captcha providers
Configure captcha verification with reCAPTCHA, hCaptcha, or Cloudflare Turnstile.
Captcha providers protect sensitive endpoints from automated abuse. rCTF supports three captcha services.
Configuration#
Captcha configuration has two parts: the provider (which service to use) and the protected endpoints (which actions require verification).
captcha: provider: name: captcha/turnstile options: siteKey: your-site-key secretKey: your-secret-key protectedEndpoints: - register - recoverProtected endpoints#
The protectedEndpoints array controls which actions require captcha verification:
Only the actions listed in protectedEndpoints will require captcha. Unlisted actions proceed without verification.
Providers#
Google reCAPTCHA v2 Invisible. The frontend renders the widget with size: 'invisible' and verifies the response against https://www.google.com/recaptcha/api/siteverify.
captcha: provider: name: captcha/recaptcha options: siteKey: your-site-key secretKey: your-secret-keyhCaptcha verification.
captcha: provider: name: captcha/hcaptcha options: siteKey: your-site-key secretKey: your-secret-keyCloudflare Turnstile verification.
captcha: provider: name: captcha/turnstile options: siteKey: your-site-key secretKey: your-secret-keyMigrating from v1#
If you are using the legacy recaptcha top-level config from v1, it is automatically converted to the new format at startup. However, migrating is recommended:
recaptcha: siteKey: your-site-key secretKey: your-secret-key protectedActions: - registercaptcha: provider: name: captcha/recaptcha options: siteKey: your-site-key secretKey: your-secret-key protectedEndpoints: - register