Captcha providers
Configure captcha verification with reCAPTCHA, hCaptcha, or Cloudflare Turnstile.
rCTF can verify sensitive actions with reCAPTCHA, hCaptcha, or Cloudflare Turnstile.
Configuration
Choose a provider, then list the actions that should require it.
captcha: provider: name: captcha/turnstile options: siteKey: your-site-key secretKey: your-secret-key protectedEndpoints: - register - recoverProtected endpoints
The protectedEndpoints array controls which actions require captcha verification:
| Action | Description |
|---|---|
register |
New account registration |
recover |
Account recovery via email |
setEmail |
Changing account email |
instancerStart |
Starting a challenge instance |
instancerExtend |
Extending a challenge instance lifetime |
avatarUpload |
Uploading a team avatar |
adminBotSubmit |
Submitting a job to the admin bot |
Actions not listed in protectedEndpoints do not require captcha.
Note
Registration and recovery remain rate limited by client IP and destination email, even when captcha is enabled.
Providers
Google reCAPTCHA v2 Invisible. The frontend renders the widget with size: 'invisible' and verifies the response against https://www.google.com/recaptcha/api/siteverify.
captcha: provider: name: captcha/recaptcha options: siteKey: your-site-key secretKey: your-secret-key| Option | Environment Variable | Description |
|---|---|---|
siteKey |
RCTF_RECAPTCHA_SITE_KEY |
reCAPTCHA site key |
secretKey |
RCTF_RECAPTCHA_SECRET_KEY |
reCAPTCHA secret key |
hCaptcha verification.
captcha: provider: name: captcha/hcaptcha options: siteKey: your-site-key secretKey: your-secret-key| Option | Environment Variable | Description |
|---|---|---|
siteKey |
RCTF_HCAPTCHA_SITE_KEY |
hCaptcha site key |
secretKey |
RCTF_HCAPTCHA_SECRET_KEY |
hCaptcha secret key |
Cloudflare Turnstile verification.
captcha: provider: name: captcha/turnstile options: siteKey: your-site-key secretKey: your-secret-key| Option | Environment Variable | Description |
|---|---|---|
siteKey |
RCTF_TURNSTILE_SITE_KEY |
Turnstile site key |
secretKey |
RCTF_TURNSTILE_SECRET_KEY |
Turnstile secret key |
Migrating from v1
rCTF converts the v1 recaptcha block at startup, but new configuration should use the provider format:
recaptcha: siteKey: your-site-key secretKey: your-secret-key protectedActions: - registercaptcha: provider: name: captcha/recaptcha options: siteKey: your-site-key secretKey: your-secret-key protectedEndpoints: - register