Fonteva strongly recommends using reCAPTCHA, a free Google service that can help protect your Fonteva communities from malicious activities. When enabled, your Fonteva instance uses a default reCAPTCHA account where you can view aggregate traffic metrics across all Fonteva customers using the default account.

Before You Begin

If you plan to Create a reCAPTCHA Account, you must complete that step before proceeding.

If your org uses the domain, you have the option to create a reCAPTCHA account for your association. Fonteva customers using a custom domain must create a reCAPTCHA account before enabling reCAPTCHA in Fonteva.

Warning: If your org uses a custom domain instead of the default domain, you must create a reCAPTCHA account for your association before enabling reCAPTCHA. Refer to Create a reCAPTCHA Account for instructions.

Step 1: Configure Remote Site Settings

Register in your org to enable your site to communicate with the reCAPTCHA service.

  1. Go to Setup > Remote Site Settings, then select New Remote Site. The Remote Site Edit screen opens.

  2. In Remote Site Name, enter reCAPTCHA.

  3. In Remote Site URL, enter Google .

  4. (Optional) Enter a Description to detail the purpose of this remote site setting.

  5. Select Save.

Step 2: Configure Content Security Policy (CSP) Site Settings

Content Security Policy (CSP) is a security standard that prevents scripts from running on your site. The policy setting you select determines what types of scripts can be run in your community. Scripts will be enabled for any websites you add as Trusted Sites.

  1. Go to Setup > All Sites.

  2. Select Builder next to the appropriate community. The Builder utility opens in a new browser tab.

  3. Select Settings (gear icon) > Security & Privacy.


  4. In the Content Security Policy (CSP) section, Security Level field, select your desired site security level.

    1. Strict CSP: Block Access to Inline Scripts and Allowed Hosts. This option provides the maximum security available, blocking execution of all inline scripts and all requests for remote JavaScript files. Non-script resources (for example: images) from whitelisted third-party hosts can be displayed. Lightning Locker is enabled by default when using Strict CSP.

    2. Relaxed CSP: Permit Access to Inline Scripts and Allowed Hosts. This is the recommended setting for communities. This option provides moderate security for communities, allowing inline scripts to run and remote JavaScript fields to load. Non-script resources from whitelisted third-party hosts can be displayed. You can also disable Lightning Locker.

  5. In the Trusted Sites for Scripts section, select +Add Trusted Site. The Add Trusted Site modal opens.

    1. In Name, enter reCAPTCHA.

    2. In URL, enter

    3. Select Active, then select Add Site.

  6. Select +Add Trusted Site.

    1. In Name, enter CAPTCHA.

    2. In URL, enter

    3. Select Active, then select Add Site.

  7. Confirm both sites are now listed in the Trusted Sites for Scripts list, then close the browser tab.

Step 3: Configure Your Community Portal

Enable CAPTCHA for your active communities as needed.

  1. Go to App Launcher > Community Sites.

  2. In the Community Site Name column, select the appropriate community record.

  3. In the Login section, Enable Captcha checkbox, select the pencil icon. The record enters edit mode.

  4. Select Enable Captcha, then select Save.


  5. Repeat steps 2 - 4 for each community where you want to use reCAPTCHA.