gitlab-org--gitlab-foss/doc/integration/recaptcha.md

---
stage: none
group: unassigned
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
---

# reCAPTCHA

GitLab leverages [Google's reCAPTCHA](https://www.google.com/recaptcha/about/)
to protect against spam and abuse. GitLab displays the CAPTCHA form on the sign-up page
to confirm that a real user, not a bot, is attempting to create an account.

## Configuration

To use reCAPTCHA, first you must create a site and private key.

1. Go to the URL: <https://www.google.com/recaptcha/admin>.
1. Fill out the form necessary to obtain reCAPTCHA v2 keys.
1. Log in to your GitLab server, with administrator credentials.
1. Go to Reporting Applications Settings in the Admin Area (`admin/application_settings/reporting`).
1. Fill all reCAPTCHA fields with keys from previous steps.
1. Check the `Enable reCAPTCHA` checkbox.
1. Save the configuration.
1. Change the first line of the `#execute` method in `app/services/spam/spam_verdict_service.rb`
   to `return CONDITONAL_ALLOW` so that the spam check short-circuits and triggers the response to
   return `recaptcha_html`.

NOTE: **Note:**
Make sure you are viewing an issuable in a project that is public, and if you're working with an issue, the issue is public.

## Enabling reCAPTCHA for user logins via passwords

By default, reCAPTCHA is only enabled for user registrations. To enable it for
user logins via passwords, the `X-GitLab-Show-Login-Captcha` HTTP header must
be set. For example, in NGINX, this can be done via the `proxy_set_header`
configuration variable:

```nginx
proxy_set_header X-GitLab-Show-Login-Captcha 1;
```

In Omnibus GitLab, this can be configured via `/etc/gitlab/gitlab.rb`:

```ruby
nginx['proxy_set_headers'] = { 'X-GitLab-Show-Login-Captcha' => '1' }
```
Add latest changes from gitlab-org/gitlab@master 2020-10-29 15:09:12 +00:00			`---`
			`stage: none`
			`group: unassigned`
			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers`
			`---`

Add documentation for using reCAPTCHA 2015-12-28 04:36:33 +00:00			`# reCAPTCHA`

Add latest changes from gitlab-org/gitlab@master 2020-08-06 15:09:42 +00:00			`GitLab leverages [Google's reCAPTCHA](https://www.google.com/recaptcha/about/)`
Add documentation for using reCAPTCHA 2015-12-28 04:36:33 +00:00			`to protect against spam and abuse. GitLab displays the CAPTCHA form on the sign-up page`
			`to confirm that a real user, not a bot, is attempting to create an account.`

			`## Configuration`

reCAPTCHA is configurable through Admin Settings, no reload needed. 2015-12-28 20:21:34 +00:00			`To use reCAPTCHA, first you must create a site and private key.`
Add documentation for using reCAPTCHA 2015-12-28 04:36:33 +00:00
Resolve Markdown ordered lists not conforming to styleguide 2018-11-13 00:39:21 +00:00			`1. Go to the URL: <https://www.google.com/recaptcha/admin>.`
Update recaptcha docs for clarity * Specified that reCAPTCHA v2 keys must be used * Updated the URL for application settings * Some small rewording 2018-12-07 21:47:34 +00:00			`1. Fill out the form necessary to obtain reCAPTCHA v2 keys.`
			`1. Log in to your GitLab server, with administrator credentials.`
			1. Go to Reporting Applications Settings in the Admin Area (`admin/application_settings/reporting`).
Add latest changes from gitlab-org/gitlab@master 2019-09-30 06:06:02 +00:00			`1. Fill all reCAPTCHA fields with keys from previous steps.`
Resolve Markdown ordered lists not conforming to styleguide 2018-11-13 00:39:21 +00:00			1. Check the `Enable reCAPTCHA` checkbox.
			`1. Save the configuration.`
Add latest changes from gitlab-org/gitlab@master 2020-07-13 12:09:18 +00:00			1. Change the first line of the `#execute` method in `app/services/spam/spam_verdict_service.rb`
			to `return CONDITONAL_ALLOW` so that the spam check short-circuits and triggers the response to
			return `recaptcha_html`.

			`NOTE: Note:`
			`Make sure you are viewing an issuable in a project that is public, and if you're working with an issue, the issue is public.`
Show a reCAPTCHA on signin page if custom header is set This will only be displayed if `X-GitLab-Show-Login-Captcha` is set as an HTTP header. 2018-06-21 18:13:08 +00:00
			`## Enabling reCAPTCHA for user logins via passwords`

			`By default, reCAPTCHA is only enabled for user registrations. To enable it for`
			user logins via passwords, the `X-GitLab-Show-Login-Captcha` HTTP header must
			be set. For example, in NGINX, this can be done via the `proxy_set_header`
			`configuration variable:`

Add latest changes from gitlab-org/gitlab@master 2020-03-25 06:07:58 +00:00			```nginx
Show a reCAPTCHA on signin page if custom header is set This will only be displayed if `X-GitLab-Show-Login-Captcha` is set as an HTTP header. 2018-06-21 18:13:08 +00:00			`proxy_set_header X-GitLab-Show-Login-Captcha 1;`
			```

Add latest changes from gitlab-org/gitlab@master 2020-04-30 03:09:32 +00:00			In Omnibus GitLab, this can be configured via `/etc/gitlab/gitlab.rb`:
Show a reCAPTCHA on signin page if custom header is set This will only be displayed if `X-GitLab-Show-Login-Captcha` is set as an HTTP header. 2018-06-21 18:13:08 +00:00
			```ruby
Add latest changes from gitlab-org/gitlab@master 2020-07-28 12:09:49 +00:00			`nginx['proxy_set_headers'] = { 'X-GitLab-Show-Login-Captcha' => '1' }`
Show a reCAPTCHA on signin page if custom header is set This will only be displayed if `X-GitLab-Show-Login-Captcha` is set as an HTTP header. 2018-06-21 18:13:08 +00:00			```