How does Google's reCAPTCHA v3 work?

javascript recaptcha verification spam-prevention invisible-recaptcha
Chong Lip Phang picture Chong Lip Phang · Jul 4, 2018 · Viewed 17k times · Source

Google has rolled out reCAPTCHA v3. It does away with all user the friction. I wish to use it to secure my site. However, I am unsure about how this is going to protect my site. What if a hacker spams the URLs on my site with an external tool without using the interface I provide? How is reCAPTCHA v3 going to stop that?

Answer

Jonas Wilms picture Jonas Wilms · Jul 4, 2018

How is reCAPTCHA v3 going to stop [Spam] ?

There are various heuristics which can be used to detect automated systems, such as the number of requests coming from a certain IP, browser fingerprinting, Google account cookies, among many others. Google seems to use some of them. If uncertain, a challenge gets shown.

What if a hacker spams the URLs on my site with an external tool without using the interface I provide?

Google generates a token for the client when they pass the checks which you have to validate on the serverside. If someone doesn't pass the CAPTCHA (a robot), they do not have a token.

Related questions

How can I validate google reCAPTCHA v2 using javascript/jQuery?

I have a simple contact form in aspx. I want to validate the reCaptcha (client-side) before submitting the form. Please help. Sample code: <%@ Page Language="VB" AutoEventWireup="false" CodeFile="Default2.aspx.vb" Inherits="Default2" %> <!DOCTYPE html> &…

Read More
How to Reload ReCaptcha using JavaScript?

I have a signup form with AJAX so that I want to refresh Recaptcha image anytime an error is occured (i.e. username already in use). I am looking for a code compatible with ReCaptcha to reload it using JavaScript.

Read More
How to hide the Google Invisible reCAPTCHA badge

When implementing the new Google Invisible reCATPTCHA, by default you get a little "protected by reCAPTCHA" badge in the bottom right of the screen that pops out when you roll over it. I'd like to hide this.

Read More