Umbraco.Forms.Issues icon indicating copy to clipboard operation
Umbraco.Forms.Issues copied to clipboard
verified publisher icon umbraco

GDPR compliant captcha integration

Open bjarnef opened this issue 1 year ago • 7 comments

Google reCAPTCHA is a great option to prevent spam through Umbraco Forms, unfortunately it isn't GDPR compliant of this time writing.

I found these options:

  • https://friendlycaptcha.com/

  • https://www.captcha.eu/

  • https://www.hcaptcha.com/

  • https://altcha.org/ (API or self-hosted). https://altcha.org/docs/gdpr/

  • https://www.cloudflare.com/products/turnstile/ https://blog.cloudflare.com/turnstile-ga/

Turnstile could perhaps make sense to have an integration for as Cloudflare is used on Umbraco Cloud. There are some examples here: https://github.com/cloudflare/turnstile-demo-workers/blob/main/src/explicit.html#L74-L85

bjarnef avatar Oct 14 '24 08:10 bjarnef

@AndyButland are there any considerations regarding this at the moment? We have a project where Google reCAPTCHA v3 isn't an option. We tried the Honeypot technique https://marketplace.umbraco.com/package/our.umbraco.honeypot , but bots/crawlers are too smart nowadays and can bypass this. It helped somewhat, but not much :)

bjarnef avatar Oct 14 '24 08:10 bjarnef

Nothing currently, but thanks for putting in on the radar. The out-of-the-box reCAPTCHAs are custom fields, and could be that some of these other offerings could be provided in a similar way.

AndyButland avatar Oct 15 '24 05:10 AndyButland

@AndyButland we implemented Turnstile using implicit rendering. The day before it had 500 forms entries. After enable Turnstile and running for a day it has only received 4 forms entries, where 2 was from our test. In the log it has logged form submissions, but most can't be verified by Turnstile.

It has been very affective for now and more than reCAPTCHA v3 on other projects, which has still received spams with default score threshold at 0.5

Besides that Turnstile is GDPR compliant. which reCAPTCHA v3 isn't.

bjarnef avatar Nov 15 '24 07:11 bjarnef

I wonder if it would make sense to abstract the reCAPTCHA from Umbraco Forms core as there'e a lot out there. Ideally move it to https://github.com/umbraco/Umbraco.Forms.Integrations ?

and potentially it easier for the community to contribute to part of Umbraco Forms: https://forum.umbraco.com/t/closed-source-add-ons/1776

If using Cloudflare Turnstile we probably wouldn't need to include Google reCAPTCHA v3.

bjarnef avatar Mar 28 '25 23:03 bjarnef

@bjarnef Thank you for bringing this issue with non-compliance in recaptcha up. Is there any chance you could share the website project where you implemented Turnstile? I am in discussions with my developers how we can avoid using Google recaptcha, and I would like to show them this alternative

MytenR avatar Apr 10 '25 07:04 MytenR

Hey @bjarnef and @AndyButland

There is a package here for using different captchas with Umbraco Forms https://marketplace.umbraco.com/package/our.umbraco.forms.ucaptcha

RachBreeze avatar Apr 23 '25 11:04 RachBreeze

@RachBreeze yes, I saw that package, but we didn't need to reCaptcha and hCaptcha implementation and wanted a bit more control of the implementation with Turnstile.

bjarnef avatar Apr 23 '25 11:04 bjarnef