gitlab-org--gitlab-foss/doc/integration/recaptcha.md

---
stage: Ecosystem
group: Integrations
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# reCAPTCHA **(FREE SELF)**

GitLab leverages [Google's reCAPTCHA](https://www.google.com/recaptcha/about/)
to protect against spam and abuse. GitLab displays the CAPTCHA form on the sign-up page
to confirm that a real user, not a bot, is attempting to create an account.

## Configuration

To use reCAPTCHA, first create a site and private key.

1. Go to the [Google reCAPTCHA page](https://www.google.com/recaptcha/admin).
1. To get reCAPTCHA v2 keys, fill in the form and select **Submit**.
1. Sign in to your GitLab server as an administrator.
1. On the top bar, select **Menu > Admin**.
1. On the left sidebar, select **Settings > Reporting** (`admin/application_settings/reporting`).
1. Expand **Spam and Anti-bot Protection**.
1. In the reCAPTCHA fields, enter the keys you obtained in the previous steps.
1. Select the **Enable reCAPTCHA** checkbox.
1. To enable reCAPTCHA for logins via password, select the **Enable reCAPTCHA for login** checkbox.
1. Select **Save changes**.
1. To short-circuit the spam check and trigger the response to return `recaptcha_html`:
   1. Open `app/services/spam/spam_verdict_service.rb`.
   1. Change the first line of the `#execute` method to `return CONDITIONAL_ALLOW`.

NOTE:
Make sure you are viewing an issuable in a project that is public. If you're working with an issue, the issue is public.

## Enable reCAPTCHA for user logins using the HTTP header

You can enable reCAPTCHA for user logins via password [in the user interface](#configuration)
or by setting the `X-GitLab-Show-Login-Captcha` HTTP header.
For example, in NGINX, this can be done via the `proxy_set_header`
configuration variable:

```nginx
proxy_set_header X-GitLab-Show-Login-Captcha 1;
```

In Omnibus GitLab, this can be configured via `/etc/gitlab/gitlab.rb`:

```ruby
nginx['proxy_set_headers'] = { 'X-GitLab-Show-Login-Captcha' => '1' }
```
Add latest changes from gitlab-org/gitlab@master 2020-10-29 11:09:12 -04:00			`---`
Add latest changes from gitlab-org/gitlab@master 2021-08-02 11:08:56 -04:00			`stage: Ecosystem`
			`group: Integrations`
Add latest changes from gitlab-org/gitlab@master 2020-11-26 01:09:20 -05:00			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments`
Add latest changes from gitlab-org/gitlab@master 2020-10-29 11:09:12 -04:00			`---`

Add latest changes from gitlab-org/gitlab@master 2021-09-28 05:11:19 -04:00			`# reCAPTCHA (FREE SELF)`
Add documentation for using reCAPTCHA 2015-12-27 23:36:33 -05:00
Add latest changes from gitlab-org/gitlab@master 2020-08-06 11:09:42 -04:00			`GitLab leverages [Google's reCAPTCHA](https://www.google.com/recaptcha/about/)`
Add documentation for using reCAPTCHA 2015-12-27 23:36:33 -05:00			`to protect against spam and abuse. GitLab displays the CAPTCHA form on the sign-up page`
			`to confirm that a real user, not a bot, is attempting to create an account.`

			`## Configuration`

Add latest changes from gitlab-org/gitlab@master 2021-11-26 07:12:49 -05:00			`To use reCAPTCHA, first create a site and private key.`
Add documentation for using reCAPTCHA 2015-12-27 23:36:33 -05:00
Add latest changes from gitlab-org/gitlab@master 2021-01-27 19:09:33 -05:00			`1. Go to the [Google reCAPTCHA page](https://www.google.com/recaptcha/admin).`
Add latest changes from gitlab-org/gitlab@master 2021-11-26 07:12:49 -05:00			`1. To get reCAPTCHA v2 keys, fill in the form and select Submit.`
			`1. Sign in to your GitLab server as an administrator.`
			`1. On the top bar, select Menu > Admin.`
			1. On the left sidebar, select Settings > Reporting (`admin/application_settings/reporting`).
			`1. Expand Spam and Anti-bot Protection.`
			`1. In the reCAPTCHA fields, enter the keys you obtained in the previous steps.`
Add latest changes from gitlab-org/gitlab@master 2021-09-01 05:10:58 -04:00			`1. Select the Enable reCAPTCHA checkbox.`
			`1. To enable reCAPTCHA for logins via password, select the Enable reCAPTCHA for login checkbox.`
Add latest changes from gitlab-org/gitlab@master 2021-11-26 07:12:49 -05:00			`1. Select Save changes.`
			1. To short-circuit the spam check and trigger the response to return `recaptcha_html`:
			1. Open `app/services/spam/spam_verdict_service.rb`.
			1. Change the first line of the `#execute` method to `return CONDITIONAL_ALLOW`.
Add latest changes from gitlab-org/gitlab@master 2020-07-13 08:09:18 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-12-04 16:09:29 -05:00			`NOTE:`
Add latest changes from gitlab-org/gitlab@master 2021-01-27 19:09:33 -05:00			`Make sure you are viewing an issuable in a project that is public. If you're working with an issue, the issue is public.`
Show a reCAPTCHA on signin page if custom header is set This will only be displayed if `X-GitLab-Show-Login-Captcha` is set as an HTTP header. 2018-06-21 14:13:08 -04:00
Add latest changes from gitlab-org/gitlab@master 2021-09-01 05:10:58 -04:00			`## Enable reCAPTCHA for user logins using the HTTP header`
Show a reCAPTCHA on signin page if custom header is set This will only be displayed if `X-GitLab-Show-Login-Captcha` is set as an HTTP header. 2018-06-21 14:13:08 -04:00
Add latest changes from gitlab-org/gitlab@master 2021-09-01 05:10:58 -04:00			`You can enable reCAPTCHA for user logins via password [in the user interface](#configuration)`
			or by setting the `X-GitLab-Show-Login-Captcha` HTTP header.
			For example, in NGINX, this can be done via the `proxy_set_header`
Show a reCAPTCHA on signin page if custom header is set This will only be displayed if `X-GitLab-Show-Login-Captcha` is set as an HTTP header. 2018-06-21 14:13:08 -04:00			`configuration variable:`

Add latest changes from gitlab-org/gitlab@master 2020-03-25 02:07:58 -04:00			```nginx
Show a reCAPTCHA on signin page if custom header is set This will only be displayed if `X-GitLab-Show-Login-Captcha` is set as an HTTP header. 2018-06-21 14:13:08 -04:00			`proxy_set_header X-GitLab-Show-Login-Captcha 1;`
			```

Add latest changes from gitlab-org/gitlab@master 2020-04-29 23:09:32 -04:00			In Omnibus GitLab, this can be configured via `/etc/gitlab/gitlab.rb`:
Show a reCAPTCHA on signin page if custom header is set This will only be displayed if `X-GitLab-Show-Login-Captcha` is set as an HTTP header. 2018-06-21 14:13:08 -04:00
			```ruby
Add latest changes from gitlab-org/gitlab@master 2020-07-28 08:09:49 -04:00			`nginx['proxy_set_headers'] = { 'X-GitLab-Show-Login-Captcha' => '1' }`
Show a reCAPTCHA on signin page if custom header is set This will only be displayed if `X-GitLab-Show-Login-Captcha` is set as an HTTP header. 2018-06-21 14:13:08 -04:00			```