Menu
The previous version of reCAPTCHA provided the option to make a global key which would work on any domain. Now, in version 2, that option is gone, and the reCAPTCHA site claims that "Global Keys are not supported in the V2 API."
I'm working with a large number of domain names that can change frequently without my intervention, and I don't want to have to add each new domain to the key.
Is there a way to get reCAPTCHA to work on any domain without specifically authorizing each one?
839
Are there any QPS or daily limits on my use of reCAPTCHA? If you wish to make more than 1000 calls per second or 1000000 calls per month, you must use reCAPTCHA Enterprise or fill out this form and wait for an exception approval. If a site key exceeds 1000 QPS, then some requests may not be processed.
In short, yes they can. While reCAPTCHA v2 and v3 can help limit simple bot traffic, both versions come with several problems: User experience suffers, as human users hate the image/audio recognition challenges. CAPTCHA farms and advances in AI allow cybercriminals and advanced bots to bypass reCAPTCHAs easily.
There are a few steps you can take to improve your experience: Make sure your browser is fully updated (see minimum browser requirements) Check that JavaScript is enabled in your browser. Try disabling plugins that might conflict with reCAPTCHA.
Logging into a Google account improves your score quite a lot, but this also means that Google learns what sites the account owner uses, both on the site with captcha and on sites with unrelated Google services, which use the fact that you are logged in. So it would be good to increase the score without logging in.
Google has been defending millions of sites with reCAPTCHA for over a decade. reCAPTCHA Enterprise is built on the existing reCAPTCHA API and it uses advanced risk analysis techniques to distinguish between humans and bots.
It is possible to implement reCAPTCHA Version 2.0 without verifying each domain: https://developers.google.com/recaptcha/docs/domain_validation
To do so, visit the admin console and click the API key in question under "Your reCAPTCHA Sites". Then under "Advanced Settings", uncheck "Verify the origin of reCAPTCHA solutions".
Per Google, doing this creates a security risk that then requires you to check the hostname yourself.
Turning off this protection by itself poses a large security risk - your key could be taken and used by anyone, as there are no restrictions as to the site it's on. For this reason, when verifying a solution, you are required to check the hostname field and reject any solutions that are coming from unexpected sources.
Related Link: (from "Stack Exchange Information Security")
- Why bother validating the hostname for a Google Recaptcha response?
113
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
