Captcha providers

Configure captcha verification with reCAPTCHA, hCaptcha, or Cloudflare Turnstile.

Edit this page View Markdown

rCTF can verify sensitive actions with reCAPTCHA, hCaptcha, or Cloudflare Turnstile.

Configuration

Choose a provider, then list the actions that should require it.

captcha:
provider:
name: captcha/turnstile
options:
siteKey: your-site-key
secretKey: your-secret-key
protectedEndpoints:
- register
- recover

Protected endpoints

The protectedEndpoints array controls which actions require captcha verification:

Action Description
register New account registration
recover Account recovery via email
setEmail Changing account email
instancerStart Starting a challenge instance
instancerExtend Extending a challenge instance lifetime
avatarUpload Uploading a team avatar
adminBotSubmit Submitting a job to the admin bot

Actions not listed in protectedEndpoints do not require captcha.

Note

Registration and recovery remain rate limited by client IP and destination email, even when captcha is enabled.

Providers

Google reCAPTCHA v2 Invisible. The frontend renders the widget with size: 'invisible' and verifies the response against https://www.google.com/recaptcha/api/siteverify.

captcha:
provider:
name: captcha/recaptcha
options:
siteKey: your-site-key
secretKey: your-secret-key
Option Environment Variable Description
siteKey RCTF_RECAPTCHA_SITE_KEY reCAPTCHA site key
secretKey RCTF_RECAPTCHA_SECRET_KEY reCAPTCHA secret key

Migrating from v1

rCTF converts the v1 recaptcha block at startup, but new configuration should use the provider format:

recaptcha:
siteKey: your-site-key
secretKey: your-secret-key
protectedActions:
- register

Type to search.