debian-mirror-gitlab/doc/integration/recaptcha.md

---
stage: Ecosystem
group: Integrations
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# reCAPTCHA **(FREE SELF)**

GitLab leverages [Google's reCAPTCHA](https://www.google.com/recaptcha/about/)
to protect against spam and abuse. GitLab displays the CAPTCHA form on the sign-up page
to confirm that a real user, not a bot, is attempting to create an account.

## Configuration

To use reCAPTCHA, first you must create a site and private key.

1. Go to the [Google reCAPTCHA page](https://www.google.com/recaptcha/admin).
1. Fill out the form necessary to obtain reCAPTCHA v2 keys.
1. Log in to your GitLab server, with administrator credentials.
1. Go to Reporting Applications Settings in the Admin Area (`admin/application_settings/reporting`).
1. Expand the **Spam and Anti-bot Protection** section.
1. Fill all reCAPTCHA fields with keys from previous steps.
1. Select the **Enable reCAPTCHA** checkbox.
1. To enable reCAPTCHA for logins via password, select the **Enable reCAPTCHA for login** checkbox.
1. Save the configuration.
1. Change the first line of the `#execute` method in `app/services/spam/spam_verdict_service.rb`
   to `return CONDITIONAL_ALLOW` so that the spam check short-circuits and triggers the response to
   return `recaptcha_html`.

NOTE:
Make sure you are viewing an issuable in a project that is public. If you're working with an issue, the issue is public.

## Enable reCAPTCHA for user logins using the HTTP header

You can enable reCAPTCHA for user logins via password [in the user interface](#configuration)
or by setting the `X-GitLab-Show-Login-Captcha` HTTP header.
For example, in NGINX, this can be done via the `proxy_set_header`
configuration variable:

```nginx
proxy_set_header X-GitLab-Show-Login-Captcha 1;
```

In Omnibus GitLab, this can be configured via `/etc/gitlab/gitlab.rb`:

```ruby
nginx['proxy_set_headers'] = { 'X-GitLab-Show-Login-Captcha' => '1' }
```
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`---`
New upstream version 14.2.5+ds1 2021-10-27 15:23:28 +05:30			`stage: Ecosystem`
			`group: Integrations`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments`
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`---`

New upstream version 14.4.2+ds1 2021-11-18 22:05:49 +05:30			`# reCAPTCHA (FREE SELF)`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`GitLab leverages [Google's reCAPTCHA](https://www.google.com/recaptcha/about/)`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30			`to protect against spam and abuse. GitLab displays the CAPTCHA form on the sign-up page`
			`to confirm that a real user, not a bot, is attempting to create an account.`

			`## Configuration`

			`To use reCAPTCHA, first you must create a site and private key.`

New upstream version 13.9.3+ds1 2021-03-11 19:13:27 +05:30			`1. Go to the [Google reCAPTCHA page](https://www.google.com/recaptcha/admin).`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`1. Fill out the form necessary to obtain reCAPTCHA v2 keys.`
			`1. Log in to your GitLab server, with administrator credentials.`
			1. Go to Reporting Applications Settings in the Admin Area (`admin/application_settings/reporting`).
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`1. Expand the Spam and Anti-bot Protection section.`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`1. Fill all reCAPTCHA fields with keys from previous steps.`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`1. Select the Enable reCAPTCHA checkbox.`
			`1. To enable reCAPTCHA for logins via password, select the Enable reCAPTCHA for login checkbox.`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`1. Save the configuration.`
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			1. Change the first line of the `#execute` method in `app/services/spam/spam_verdict_service.rb`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			to `return CONDITIONAL_ALLOW` so that the spam check short-circuits and triggers the response to
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			return `recaptcha_html`.

New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`NOTE:`
New upstream version 13.9.3+ds1 2021-03-11 19:13:27 +05:30			`Make sure you are viewing an issuable in a project that is public. If you're working with an issue, the issue is public.`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`## Enable reCAPTCHA for user logins using the HTTP header`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`You can enable reCAPTCHA for user logins via password [in the user interface](#configuration)`
			or by setting the `X-GitLab-Show-Login-Captcha` HTTP header.
			For example, in NGINX, this can be done via the `proxy_set_header`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`configuration variable:`

New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			```nginx
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`proxy_set_header X-GitLab-Show-Login-Captcha 1;`
			```

New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			In Omnibus GitLab, this can be configured via `/etc/gitlab/gitlab.rb`:
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30
			```ruby
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`nginx['proxy_set_headers'] = { 'X-GitLab-Show-Login-Captcha' => '1' }`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			```