Google's reCAPTCHA v3 is quite different from v2 as it's designed to requires no user interaction. In addition, you can perform a server-side validation to receive a score on how likely the user is a bot or not (1.0 is very likely a good interaction, 0.0 is very likely a bot). Therefore, you can take more adaptive approaches instead of immediately denying traffic such as requesting a MFA factor for a low score.
Ensure your site key is registered to the correct type of reCAPTCHA version
How you respond to a potential bot is going to vary depending on your requirements, but the implementations are going to be fairly consistent. The examples below demonstrate a few common reCAPTCHA v3 use cases.
Ensure you import reCAPTCHA script with the site key
Include a verification check on on the
Include a verification check on the
As mentioned before these are client-side validations, thus you may decide to extend the application logic with a back-end server to include scoring. This goes beyond the scope of this book, but Google provides some examples on where you may want to take action.
|homepage||See a cohesive view of your traffic on the admin console while filtering scrapers.|
|login||With low scores, require 2-factor-authentication or email verification to prevent credential stuffing attacks.|
|social||Limit unanswered friend requests from abusive users and send risky comments to moderation.|
|e-commerce||Put your real sales ahead of bots and identify risky transactions.|