Configuring Google reCAPTCHA v3
Most of the publicly accessible websites have forms. They can be a contact form, a form for submitting shipping details, or a form for publishing comments. All of them usually don’t require user registration and are publicly available. For the user it’s just a way of contacting a support team or arrange of delivery of goods while for the application it’s data which it should process and it should be clean of any junk. Malformed data usually is generated by bots which are scripts that can crawl web applications and fill in forms. As an owner of a website you probably don’t want something like a bot to submit random data and compromise your users' data, statistics, etc. Luckily there are different ways of protection from unauthorized form submission. One of them is Google reCAPTCHA. It has several versions. The v2 is a checkbox with a text ‘I’m not a robot’ which a user should tick to complete the challenge. It expects user interaction and detects mouse movement within the box surrounding the checkbox. In this article we are going to look at reCAPTCHA v3 which can detect abusive traffic without user interaction such as ticking a checkbox. It returns a score based on which application can perform an appropriate action. In the first part of this article we’ll take a look at how to configure reCAPTCHA v3 using the admin console and in the second part we’re going to create a simple web application that contains one form using .NET Core 3.0 and uses Google ReCaptcha to filter out suspicious requests.
For configuring reCAPTCHA you’ll need a google account. I assume that you have one already. So our next step is to go to https://www.google.com/recaptcha where you can find “Admin console” button in the right top corner. If you already signed into your Google account you’ll be redirected to the “Register a new site” page straight away.
There you need to fill in “Label” which is basically a name for the configuration. Then in “reCAPTCHA” section select “reCAPTCHA v3” which uses scores to verify requests. After specifying the type of captcha you need to add a domain name that this captcha is bound to. Lastly we accept ToS and hit Submit button.
You’ll be redirected to the next page with the Site key and Secret key. We’ll need these keys in our application to establish communication between Google reCAPTCHA and our web form.
That’s pretty much it. The registration doesn’t take long. Next time we are going to write a web application that will use reCAPTCHA to protect our form.
