GDPR compliant captcha integration

[bjarnef]

Google reCAPTCHA is a great option to prevent spam through Umbraco Forms, unfortunately it isn't GDPR compliant of this time writing.

I found these options:

• https://friendlycaptcha.com/

• https://www.captcha.eu/

• https://www.hcaptcha.com/

• https://altcha.org/ (API or self-hosted). https://altcha.org/docs/gdpr/

• https://www.cloudflare.com/products/turnstile/ https://blog.cloudflare.com/turnstile-ga/

Turnstile could perhaps make sense to have an integration for as Cloudflare is used on Umbraco Cloud. There are some examples here: https://github.com/cloudflare/turnstile-demo-workers/blob/main/src/explicit.html#L74-L85

[bjarnef]

@AndyButland are there any considerations regarding this at the moment? We have a project where Google reCAPTCHA v3 isn't an option. We tried the Honeypot technique https://marketplace.umbraco.com/package/our.umbraco.honeypot , but bots/crawlers are too smart nowadays and can bypass this. It helped somewhat, but not much :)

[AndyButland]

Nothing currently, but thanks for putting in on the radar. The out-of-the-box reCAPTCHAs are custom fields, and could be that some of these other offerings could be provided in a similar way.

[bjarnef]

@AndyButland we implemented Turnstile using implicit rendering. The day before it had 500 forms entries. After enable Turnstile and running for a day it has only received 4 forms entries, where 2 was from our test. In the log it has logged form submissions, but most can't be verified by Turnstile.

It has been very affective for now and more than reCAPTCHA v3 on other projects, which has still received spams with default score threshold at 0.5

Besides that Turnstile is GDPR compliant. which reCAPTCHA v3 isn't.