reCAPTCHA: Easy on Humans, Hard on Bots

reCAPTCHA: Easy on Humans, Hard on Bots 

Extension Key

recaptcha

Package name

evoweb/recaptcha

Version

main

Language

en

Author

Sebastian Fischer

License

This document is published under the Open Publication. license.

Rendered

Fri, 12 Dec 2025 18:51:53 +0000

Copyright

2015-2024

Extension to provide reCAPTCHA and invisible reCAPTCHA to form related actions.

The content of this document is related to TYPO3, a GNU/GPL CMS/Framework available from http://typo3.org

Table of Contents:

Introduction 

This Documentation was written for version 8.2.0 of the extension.

Functionality 

Only purpose is to render the reCAPTCHA and validate the response. But provide these to other extensions which consumes the service.

Also there are limited integrations into other extensions implemented. These act more as an living example and integrate only in extensions used by the author self.

Show example of captcha output

Features 

As a very focused extension only the following features are integrated

  • service for display and validation
  • integration in form rendering of EXT:form
  • integration of invisible captcha in EXT:form
  • viewHelper for display in fluid templates
  • validator for usage in extbase domain model validation
  • adapter for in-/visible captcha in sf_register
  • adapter for in-/visible captcha in typoscript

Users manual 

Usage in ext:form manager 

This extension doesn't come with a content element of any sort. As it is only a service the captcha can't be used on its own. But there is one part where editors are able to have the possibility to configure captcha related settings.

Add captcha to form 

In the form manager it's possible to add the captcha to a form by choosing it in the new field wizard.

Recaptcha on the form element wizard

Configure label 

After the selection the user is able to choose if the label should be rendered in frontend and if so what label text should be used.

Add recaptcha element in form

Use invisible captcha 

To use the invisible reCAPTCHA it's necessary to add an captcha field. Once this is done the form needs to be configured via the settings button on top of the form editor. There the checkbox for "Use invisible recaptcha" needs to be checked.

Configuration of invisible recaptcha

Administration 

Installation for both TYPO3 CMS installation types (manual/composer) are supported. For both a compatible installation is provided.

Manual installations 

Download the extension recaptcha either with the browser from typo3.org_ or github and upload it into the installation in the admin tools extensions, or directly in the admin tools extensions with the integrated search.

Composer installations 

On the console in the folder where the project composer.json resides just type:

Installation via composer 
composer require evoweb/recaptcha ^8.2
Copied!

Activation 

After the extension is installed by either way you always need to activate it. Normally this is done in the admin tools extensions. But its also possible to activate it via console:

Activate extension on shell 
vendor/bin/typo3 extensionmanager:extension:install recaptcha
Copied!

Configuration 

If, the captcha should be usable in backend context or you like to have a default configuration without touching TypoScript, the extensions need to be configured in the "Admin Tools" > "Settings" > "Extension Configuration" > "recaptcha"

Configure extension settings

Breaking Changes 

12. October 2024 

The possibility for configuring extra keys for invisible recaptcha was added. For this to work, the partials needed to be modified. If you override the partials, please check that they contain the changes.

In addition it was made possible to have more than one form with recaptcha on a page. These needed a complete refactoring of form.js for the frontend. Check that the inclusion via f:asset.script is the same in your site.

Lastly the inclusion of the recaptcha.js was change from TypoScript includeFooterJs to f:asset.script. By this only on page with a form that is protected with recaptcha, the js file gets loaded. For this to work, you need to synchronize the partials if you override them.

13. August 2023 

Partials 

Frontend partials have be changed. If modified check if your partials on changed made to hidden fields.

Configuration removed 

TypoScript setup
  • invisibleCallback
  • captchaCssClass
TypoScript constants
  • invisible_recaptcha_formname
  • include_invisible_recaptcha_callback

Remove support for EXT:formhandler

Configuration 

Reference 

Following parameter are available as constants. And with the same name also as setup parameter.

plugin.tx_recaptcha:

Name Type Default
api_server
 string https://www.google.com/recaptcha/api.js
verify_server
 string https://www.google.com/recaptcha/api/siteverify
public_key
 string 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
private_key
 string 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe
invisible_private_key
 string 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe
lang
 string
enforceCaptcha
 string 0
theme
 string light
robotMode
 string 0
threshold
 string 0

api_server

api_server
Type
string
Default
https://www.google.com/recaptcha/api.js

This url is used to include the basic frontend functionality. In general it's not necessary to modify this url. In case that the api changes and the extension is not updated quick enough changing this parameter keeps the frontend working.

verify_server

verify_server
Type
string
Default
https://www.google.com/recaptcha/api/siteverify

Every verification uses this url to check if the captcha was solved. In general it's not necessary to modify this url. In case that the api changes and the extension is not updated quick enough changing this parameter keeps the validation working.

public_key

public_key
Type
string
Default
6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI

The public key is needed for the frontend rendering.

Google provides a key for automatic testing purpose and this is used as default. To remove the warning that is caused by using the default key please go to the recaptcha console and register an own key for use in your site.

private_key

private_key
Type
string
Default
6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe

The private key is needed for the validation of submits.

Google provides a key for automatic testing purpose and this is used as default. To remove the warning that is caused by using the default key please go to the recaptcha console and register an own key for use in your site.

invisible_private_key

invisible_private_key
Type
string
Default
6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe

The private key is needed for the validation of invisible captcha submits.

Google provides a key for automatic testing purpose and this is used as default. To remove the warning that is caused by using the default key please go to the recaptcha console and register an own key for use in your site.

lang

lang
Type
string

Recaptcha is very good in automatic detecting which language to use based on the users browser settings and with which IP the page gets visited. Only in case if it is really necessary set this parameter to take influence on the rendered language.

enforceCaptcha

enforceCaptcha
Type
string
Default
0

This configuration parameter will enforce the captcha to test the functionality on development systems. EXT:recaptcha uses the application context to detect if an installation is running in Development mode. If so the captcha is not rendered or validated. This is a to reduce external calls and b to not bother the integrator every time he has to test forms. Because after a limited amount of tests the captcha testing games must always be solved instead only clicking a checkbox.

theme

theme
Type
string
Default
light
Possible values
light, dark

[Only TypoScript] For change the theme for recaptcha (light or dark).

robotMode

robotMode
Type
string
Default
0

[Only TypoScript] Add the possibility to set the recaptcha into robot mode in production environment. The recaptcha will not be displayed like in development mode.

threshold

threshold
Type
string
Default
0

[Only TypoScript] Add the threshold for recaptcha v3 from which to show an error.

Content Security Policy 

Reason 

Since TYPO3 12 handling of content security policies are introduced. If this feature is active, the recaptcha javascript can not be loaded without additional configuration.

CSP Configuration 

To get the recaptcha working with csp feature active, it's necessary to add an extending mutation to the site configuration in a csp.yaml named file.

To include this more easy a CSP.yaml file is prepared and can be imported in the config/sites/site/csp.yaml with this lines.

Template modifications 

In previous releases some onclick javascript was used. While the CSP rules are in place, this should be omitted. Some code was moved to the Frontend/form.js. Other was replaced with hidden inputs.

If you override the Frontend/Partials/Form/Navigation.html please check if it's in line with the provided file.

Integration 

Use in your extension 

To make use of this extension is quite easy as there is only one service needed. By instantiating the EvowebRecaptchaServicesCaptchaService it's possible to render and validate the captcha. Beside the service there are a ViewHelper and a Validator for use in extbase extensions.

Integration in your own code 

Rendering hole captcha 

To render you are able to let the service take care of the output by calling getReCaptcha.

Get rendered captcha from service 
$captchaService = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\Evoweb\Recaptcha\Services\CaptchaService::class);
$output = $captchaService->getReCaptcha();
Copied!

Please keep in mind that it only renders the captcha. If you need something to trigger the validation in your controller it's up to you to add the code.

Render on your own 

If you prefer to render on your own its possible to let the service prepare the settings for you.

Get settings to render individually 
$captchaService = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\Evoweb\Recaptcha\Services\CaptchaService::class);
$configuration = $captchaService->getConfiguration();
$showCaptcha = $captchaService->getShowCaptcha();
Copied!

By using this you need to render the html completely on your own.

Validate submitted form 

To validate just call the validateReCaptcha method and you get the result of the validation to check against.

Validate captcha in extension 
$validCaptcha = false;

$captchaService = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\Evoweb\Recaptcha\Services\CaptchaService::class);
$captchaServiceValidation = $captchaService->validateReCaptcha();
if (isset($captchaServiceValidation['verified'])) {
    if ($captchaServiceValidation['verified'] === true) {
        $validCaptcha = true;
    }
}
Copied!

Integration in extbase extension 

Rendering the captcha 

For rendering the captcha in a fluid template there is a ViewHelper that prepares the configuration and then renders the captcha.

ViewHelper example integration 
<r:form.recaptcha>
  <f:if condition="{showCaptcha}">
    <f:then>
      <f:form.hidden property="{name}" value="1" />
      <div class="g-recaptcha" data-sitekey="{configuration.public_key}"></div>
    </f:then>
    <f:else>
      <div class="recaptcha-development-mode">
        Development mode active. Do not expect the captcha to appear.
      </div>
    </f:else>
  </f:if>
</r:form.recaptcha>
Copied!

Validation in model 

After the form was submitted the validation of the form model is quite easy. Just annotate as usual.

Add captcha validator to model property 
/**
 * virtual not stored in database
 *
 * @var string
 * @validate \Evoweb\Recaptcha\Validation\RecaptchaValidator
 */
protected $captcha;
Copied!

Templating 

For templating there are only two interesting parts to consider. How to use the ViewHelper and direct inclusion in custom extension are the only parts to modify.

ViewHelper integration 

Using the ViewHelper has the benefit that it covers the hole configuration discovery with fallback. Inside the ViewHelper three variables are set.

Name Type Default
name
 string formName[formObject][captcha]
showCaptcha
 boolean true on Development and false on Production
configuration
 array settings from TypoScript

name

name
Type
string
Default
formName[formObject][captcha]

This value depends heavily on fluids field name generation and will vary through out the templates where it gets used.

showCaptcha

showCaptcha
Type
boolean
Default
true on Development and false on Production

Contains whether the catpcha should be rendered at all and depends on the application mode.

configuration

configuration
Type
array
Default
settings from TypoScript

Provides the configuration set in TypoScript with fallback to extension configuration set in admin tools extensions.

ViewHelper usage 

ViewHelper example integration 
<r:form.recaptcha>
  <f:if condition="{showCaptcha}">
    <f:then>
      <f:form.hidden property="{name}" value="1" />
      <div class="g-recaptcha" data-sitekey="{configuration.public_key}"></div>
    </f:then>
    <f:else>
      <div class="recaptcha-development-mode">
        Development mode active. Do not expect the captcha to appear.
      </div>
    </f:else>
  </f:if>
</r:form.recaptcha>
Copied!

Integration in extension 

Here the extension delivers only limited settings. In TypoScript there is the public_key defined which can be rendered as stdWrap to resolve an div container with all needed information to output the captcha.

Tutorial 

Use invisible recaptcha in EXT:form forms 

To use the invisible captcha in the form you need to add the advanced element "reCAPTCHA". This field has the validation automatically added. Next step is to open the "Settings" of the form and need to check the "Use invisible recaptcha".

Sitemap