CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart) and ReCAPTCHA are two human validation systems designed to prevent spam. They block spam bots while allowing your human users access to your site. You’ve likely seen them around the Internet on sites requiring you to log in.

CAPTCHA is a technique to distinguish between humans and computers. CAPTCHA is mainly used as a security check to ensure only human users can pass through by asking the user to complete the math equation like addition, subtraction, or multiplication. The equation can show up using numbers, letters, or images, giving bots no chance to slip in.

ReCAPTCHA is a system similar to CAPTCHA that also serves to protect the website and - at the same time - assists in the digitization of books. It supports two versions: v2 and v3. In v2, users are challenged to enter some words or digits from an image. In v3, users are directed to mark the checkbox “I’m not a robot”. This generates a probability score based on your users' interactions with your site to determine whether or not the request is from a bot.

These two functions are available to help enhance security to your environment by reducing the risk of bot attacks. Although not required, Fonteva strongly recommends enabling one of these two functions to prevent potential security threats. You will first need to configure Remote Site Settings and CSP Site Settings to enable CAPTCHA and ReCAPTCHA for your Community Portal.

If you enable reCAPTCHA, you will need to update your Privacy Policy and your cookies to identify the use of reCAPTCHA in order to meet GDPR requirements. You can reference this page for information on what you will need to do.

Remote Site Settings For ReCAPTCHA:

If your organization uses a custom domain and not the standard force.com domain, you will need to submit a case with Fonteva Customer Support to enable your domain for reCAPTCHA.

You will need to set up a Remote Site Setting to enable ReCAPTCHA.

Navigate to Setup and type Remote Site Settings in the Quick Find search bar.

Select Remote Site Settings from the generated results in the sidebar. The Remote Site Settings page will open.

Click New Remote Site to begin. The Remote Site Edit page will open.

Enter ReCAPTCHA as your Remote Site Name, and paste https://www.google.com for your ReCAPTCHA site in the Remote Site URL field.

Click Save.

CSP Site Settings:

You will need to create CSP Site Settings for both CAPTCHA and ReCAPTCHA

Navigate to Setup and type All Sites in the Quick Find search bar.

Select All Sites from the generated results in the sidebar. The All Sites page will open.

Click the Builder link for your Community Portal. The Builder will open in a new tab.

Click the gear icon to open Settings. Click Security.

Scroll down to the Content Security Policy (CSP) section.

Under Script Security Level, there is a picklist for you to select a security level for your Community. This controls whether scripts can be executed from your Community Portal and if components can share data. You have the following options with varying levels of security:

  • Strict CSP: Block Inline Scripts and Script Access to All Third-party Hosts: This is the default setting for Communities created in Salesforce Spring '19 (February 2019) and later. This security level provides the maximum security. It blocks the execution of all inline scripts and all requests for remote JavaScript files. It allows the display of non-script resources (for example: images) from third-party hosts that are explicitly whitelisted. Lightning Locker is turned on for this setting.

  • Allow Inline Scripts and Script Access to Whitelisted Third-Party Hosts: This security level provides moderate security for Communities. It will allow inline scripts to run in your Community, the loading of remote JavaScript fields, and the display of non-script resources (for example, images) from third-party hosts that are explicitly whitelisted. You will also have the option to turn off Lightning Locker. This option is recommended by Fonteva for your Community Portal.

  • Allow Inline Scripts and Script Access to Any Third-party Host: This security level provides no dded security, but enables your Community to work as currently designed. It will block nothing and allow access to all third-party hosts without the need for whitelisting. Lightning Locker is turned on.

Select your security level and locate the Trusted Sites for Scripts section. Click + Add Trusted Site. The Add Trusted Site window will open.

Type a Name and paste a URL for either your CAPTCHA or ReCAPTCHA site.

For ReCAPTCHA, use https://www.google.com.

For CAPTCHA, use https://www.gstatic.com

Ensure Active is checked and click Add Site. The site will get added under Trusted Sites.

Repeat these steps for the remaining CAPTCHA or ReCAPTCHA site.

Enable CAPTCHA For Community Portal

As a final step to enable CAPTCHA, you need to check the Enable Captcha field on your Community Portal record.

Navigate to your Community Portal record and click Edit. The Edit Community Site window will open.

Check Enable Captcha. CAPTCHA and ReCAPTCHA will now be live and active on your Community Portal.