2016-05-16 15:17:17 +00:00
[[_recaptcha]]
2016-06-02 18:59:58 +00:00
==== reCAPTCHA Support
2016-05-16 15:17:17 +00:00
2017-08-28 12:50:14 +00:00
To safeguard registration against bots, {project_name} has integration with Google reCAPTCHA.
2016-05-16 15:17:17 +00:00
To enable this you need to first go to link:https://developers.google.com/recaptcha/[Google Recaptcha Website]
2016-06-02 18:59:58 +00:00
and create an API key so that you can get your reCAPTCHA site key and secret.
2016-12-01 22:17:15 +00:00
(FYI, localhost works by default so you don't have to specify a domain).
2016-05-16 15:17:17 +00:00
2017-08-28 12:50:14 +00:00
Next, there are a few steps you need to perform in the {project_name} Admin Console.
2016-06-02 18:59:58 +00:00
Click the `Authentication` left menu item and go to the `Flows` tab. Select the `Registration` flow from the drop down
2016-05-16 15:17:17 +00:00
list on this page.
.Registration Flow
2017-08-28 12:50:14 +00:00
image:{project_images}/registration-flow.png[]
2016-05-16 15:17:17 +00:00
2016-06-02 18:59:58 +00:00
Set the 'reCAPTCHA' requirement to `Required` by clicking the appropriate radio button. This will enable
reCAPTCHA on the screen. Next, you have to enter in the reCAPTCHA site key and secret that you generated at the Google reCAPTCHA Website.
2016-12-01 22:17:15 +00:00
Click on the 'Actions' button that is to the right of the reCAPTCHA flow entry, then "Config" link, and enter in the reCAPTCHA site key and secret on this config page.
2016-05-16 15:17:17 +00:00
.Recaptcha Config Page
2017-08-28 12:50:14 +00:00
image:{project_images}/recaptcha-config.png[]
2016-05-16 15:17:17 +00:00
2017-08-28 12:50:14 +00:00
The final step you have to do is to change some default HTTP response headers that {project_name} sets. {project_name}
2016-06-02 18:59:58 +00:00
will prevent a website from including any login page within an iframe. This is to prevent clickjacking attacks. You need to
2016-05-16 15:17:17 +00:00
authorize Google to use the registration page within an iframe. Go to
2016-06-02 18:59:58 +00:00
the `Realm Settings` left menu item and then go to the `Security Defenses` tab. You will need to add `https://www.google.com` to the
values of both the `X-Frame-Options` and `Content-Security-Policy` headers.
2016-05-16 15:17:17 +00:00
.Authorizing Iframes
2017-08-28 12:50:14 +00:00
image:{project_images}/security-headers.png[]
2016-05-16 15:17:17 +00:00
2016-06-02 18:59:58 +00:00
Once you do this, reCAPTCHA should show up on your registration page. You may want to edit _register.ftl_ in your login
2017-08-28 12:50:14 +00:00
theme to muck around with the placement and styling of the reCAPTCHA button. See the link:{developerguide_link}[{developerguide_name}]
2016-05-16 15:17:17 +00:00
for more information on extending and creating themes.