Menu
Background: my website is pretty simple, containing a main page with a list of links (provided by 3rd party service) - each links pops up a file upload input with a submit button. In that popup I embedded the Recaptcha script, and verified the token upon file submission. Because of this multiple popup setup I chose V3 for zero user interactions with the verification mechanism.
Now, a question arise - how should I interpret Google's response from google.
Google documentation for V3 says:
reCAPTCHA learns by seeing real traffic on your site. For this reason, scores in a staging environment or soon after implementing may differ from production. As reCAPTCHA v3 doesn't ever interrupt the user flow, you can first run reCAPTCHA without taking action and then decide on thresholds by looking at your traffic in the admin console. By default, you can use a threshold of 0.5.
It is pretty clear to me, from this description, that the score is what matters - 0.0 for most likely bot, 1.0 for most likely human. So in my code, I check that success == true and score >= 0.5
However - none of the V3 examples I find online for server side validation pay any attention to the score. here are 3 of them. All three only check for the request being successful:
https://stackoverflow.com/a/54118106/3367818
https://stackoverflow.com/a/52633797/3367818
https://dzone.com/articles/adding-google-recaptcha-v3-to-your-laravel-app
Finally, my question is - is that a misconception of V3's mechanism, or is it me missing something?
Thanks.
546
reCAPTCHA v3 returns a score (1.0 is very likely a good interaction, 0.0 is very likely a bot). Based on the score, you can take variable action in the context of your site. Every site is different, but below are some examples of how sites use the score.
“The score is based on interactions with your site and enables you to take an appropriate action for your site.” Recaptcha will rank traffic and interactions based on a score of 0.0 to 1.0, with a 1.0 being a good interaction and scores closer to 0.0 indicating a good likelihood that the traffic was generated by bots.
Interpreting scores reCAPTCHA Enterprise has 11 levels for scores with values ranging from 0.0 to 1.0. The score 1.0 indicates that the interaction poses low risk and is very likely legitimate, whereas 0.0 indicates that the interaction poses high risk and might be fraudulent.
Yes, you should definitely be checking the value of "score" in Google's verification response.
Those three examples are very lacking in detail and actually pretty confusing.
The "success" simply means that you sent a well formed request with the right token and secret.
It sounds like you're already checking the value of "score", so that's great, but I just wanted to clarify this for anyone who finds this question and is still a little confused.
78
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
