Nona Urbiz
Reputation: 5013
POST privatekey to reCAPTCHA API
I am implementing the reCAPTCHA AJAX API as described here. The documentation says that the privatekey must be POSTed to the verification URL.
Can someone explain why it is acceptable to be POSTing a private key? It seems like this would be a security issue? In fact, how is it acceptable to have the privatekey in a client side script at all?
Upvotes: 2
Views: 588
Answers (1)
The Scrum Meister
Reputation: 30111
The POST should be coming from your server, not the client.
- Client sends a post with the challenge & attempted answer to your server.
- Your server makes a HTTP call to reCAPTCHA with the remoteip, challenge, attempted answer and the private key.
- If the response from reCAPTCHA = true, then proceed for example submit the data to the database.
- If the response from reCAPTCHA = false, display a error message, optionally showing a new challenge.
Upvotes: 2
Related Questions
- How to Add reCAPTCHA to Forms
- google recaptcha with ajax form
- How to send a POST request to get my reCAPTCHA form to work?
- invalid-input-secret for google's recaptcha api
- how to submit recaptcha using post data
- I keep receiving "invalid-site-private-key" on my reCAPTCHA validation request
- recaptcha api key
- Getting reCaptcha to work over Ajax with jQuery
- How can you trust an AJAX recaptcha request?
- How to do a post request for my reCaptcha ajax api?