Cloudflare announced yesterday that they are moving away from Google's reCAPTCHA in favour of hCaptcha. In my opinion, that is huge! Given the amount of traffic transiting through CloudFlare. That has cut some significant level of vision from Google's all-seeing and tracking eye. Moreover, they are giving a good example for others to follow.
I'd be happy to be amongst their first followers ▶.
Immediately after reading their article, I set my next to-do: "Replace Google's reCAPTCHA with hCaptcha on LibHunt". For those that don't know, LibHunt is a small network of websites (e.g. ruby.libhunt.com) focussed on different programming languages and tech in general. One of the features is allowing people to share links to their blog-posts (e.g. this one). All good, but historically, I have had a lot of issues with SPAM and dealing with it. Of course, one of the measures I've implemented is including a "captcha" - and more specifically, Google's reCAPTCHA. That has helped. However, I've always been a bit sceptical in pouring even more data into Google's hands. That's also why I didn't implement reCAPTCHA v3 (which is expected to be installed side-wide 🙀) but stayed with the older v2. (please, let's not involve Google Analytics now, I'd be happy to replace that too, but I can't as of now).
I also decided to note down the process so that I can share my experience. Well, it was easier and more straight-forward than I expected. It took me about 18 mins altogether. ~3 min reg + browsing around; ~10 min reading the docs and replacing "recaptcha" code and configs with "hcaptcha". ~5 min manually testing. There weren't any unexpected bits. It is almost a direct replacements. Literally. All the methods and functions are the same. You have to update your configs, a few param names and some links only.
These are all the essential changes:
- Update your site and secret keys
- Post data to https://hcaptcha.com/siteverify instead of to https://www.google.com/recaptcha/api/siteverify
- Load scripts from https://hcaptcha.com/1/api.js instead of https://www.google.com/recaptcha/api.js
- Replace "g-recaptcha" div with "h-captcha" (that includes the site key)
- Replace a div's class: from "g-recaptcha" to "h-captcha"
- Google is passing back "g-recaptcha-response" param, while hCaptcha is returning "h-captcha-response". So, use that param to validate results and the newly configured secret key.
What is more, when people solve captchas on your website, you are supposed to earn some crypto coins - HMT (The HUMAN Token®). To be honest, I hadn't heard about it and couldn't find much info about it apart from what's on hcaptcha's website. What I found was references to some other token "Hamster Marketplace Token" :D. Anyways, I guess we are not in it for the crypto tokens. Although, I can imagine that if you run a very busy website, it could add up 🤷♂️. You also have the option to donate all your earnings from people solving captchas to Wikimedia foundation, which is an honourable. I guess many people will do that.
To summarise the process of migrating from reCaptcha to hCaptha:
- 👌 It's super easy, straightforward and shouldn't take you more than 20-40 minutes
- 👁 You are feeding less data to Google
- 💸 You earn crypto/money (I have no idea what's the potential though)
My advice: go for it!
p.s. as another means to spread hCaptcha, I will be featuring and promoting it on one of my other websites - SaaSHub
p.p.s. you can find more reCaptcha Alternatives on SaaSHub