If you want to protect your website from malicious bot attacks Google reCAPTCHA is a good option which allows only legitimate user to perform website activities. Google Re-captcha has risk analysis engine which will constantly monitors your website, learns using machine learning process and prevents malicious attacks.
As per google 5 million websites are using google re-captcha mechanism!
We are only going to focus on reCAPTCHA Enterprise as it is going to be the future and recommended solution with lot of advantage over others.
In the traditional method, potentially malicious requests were blocked with a captcha challenge. reCAPTCHA V1 provided a text-based challenge while reCAPTCHA V2 is using an image-based challenge. The current image captcha challenge is blocking the user’s experience and therefore, we can use reCAPTCHA Enterprise to protect our web pages but maintain a frictionless customer experience.
<head>
<script src="https://www.google.com/recaptcha/enterprise.js?render=site_key"></script>
.....
</head>
function onClick(e) {
e.preventDefault();
grecaptcha.enterprise.ready(async () => {
const token = await grecaptcha.enterprise.execute('site_key', {action: 'LOGIN'});
// See https://cloud.google.com/recaptcha-enterprise/docs/create-assessment
});
}
From the above snippet, it is understood that when someone clicks on the login button the binded function OnClick() will be invoked
The
grecaptcha.enterprise.ready
function will ensure execute function is getting called on time (or correctly !) and it returns a token back to the browser
The token payload sample will looks like
“03AGdBq27tvcDrfiRuxQnyKs-SarXVzPODXLlpiwNsLqdm9BSQQRtxhkD-Wv6l2vBSnL_JQd80FZp3IeeF..”
Once the token is generated you should pass this token back to your backend server logic for further validation with Google API.This API is called “Assessment” API
Please read through the Link
In a nutshell, if you check below backend JAVA program as an example, it calls an Assessment API passing the token to the API as payload.
The result from Google Validation has action response which is
response.getTokenProperties().getAction());
which should match with ‘LOGIN’ in our case and If it passes then it will give further details of RISK score with 1.0 being a likely good interaction and 0.0 being a likely abusive action.You can take an action based on the score ( Custom action!!) and also it will give classification reason of the token request.
A sample Response Payload :
Please visit below link for more details: https://cloud.google.com/recaptcha-enterprise/docs/interpret-assessment Image Credit : Google
Let us proceed to next verification method>
grecaptcha.enterprise.ready(async () => {
const token = await grecaptcha.enterprise.execute('site_key', {action: 'homepage'});
// IMPORTANT: The 'token' that results from execute is an encrypted response sent by
// reCAPTCHA Enterprise to the end user's browser.
// This token must be validated by creating an assessment.
// See https://cloud.google.com/recaptcha-enterprise/docs/create-assessment
});
<button class="g-recaptcha" data-sitekey="site_key" data-callback='onSubmit'
data-action='submit'>Submit</button>
<script>
function onSubmit(token) {
}
</script>
Please note that there is much more into this that includes tuning the learning mechanism of google reCAPTCHA as per your needs which is called “Annotate Assessment”.
https://cloud.google.com/recaptcha-enterprise/docs/annotate-assessment