loading...
Cover image for Cloudflare replaced reCAPTCHA with hCaptcha. I followed their example. It took me 18 min.

Cloudflare replaced reCAPTCHA with hCaptcha. I followed their example. It took me 18 min.

stanbright profile image Stan Bright ใƒป3 min read

Cloudflare announced yesterday that they are moving away from Google's reCAPTCHA in favour of hCaptcha. In my opinion, that is huge! Given the amount of traffic transiting through CloudFlare. That has cut some significant level of vision from Google's all-seeing and tracking eye. Moreover, they are giving a good example for others to follow.

I'd be happy to be amongst their first followers โ–ถ.

Immediately after reading their article, I set my next to-do: "Replace Google's reCAPTCHA with hCaptcha on LibHunt". For those that don't know, LibHunt is a small network of websites (e.g. ruby.libhunt.com) focussed on different programming languages and tech in general. One of the features is allowing people to share links to their blog-posts (e.g. this one). All good, but historically, I have had a lot of issues with SPAM and dealing with it. Of course, one of the measures I've implemented is including a "captcha" - and more specifically, Google's reCAPTCHA. That has helped. However, I've always been a bit sceptical in pouring even more data into Google's hands. That's also why I didn't implement reCAPTCHA v3 (which is expected to be installed side-wide ๐Ÿ™€) but stayed with the older v2. (please, let's not involve Google Analytics now, I'd be happy to replace that too, but I can't as of now).

I also decided to note down the process so that I can share my experience. Well, it was easier and more straight-forward than I expected. It took me about 18 mins altogether. ~3 min reg + browsing around; ~10 min reading the docs and replacing "recaptcha" code and configs with "hcaptcha". ~5 min manually testing. There weren't any unexpected bits. It is almost a direct replacements. Literally. All the methods and functions are the same. You have to update your configs, a few param names and some links only.

These are all the essential changes:

  1. Update your site and secret keys
  2. Post data to https://hcaptcha.com/siteverify instead of to https://www.google.com/recaptcha/api/siteverify
  3. Load scripts from https://hcaptcha.com/1/api.js instead of https://www.google.com/recaptcha/api.js
  4. Replace "g-recaptcha" div with "h-captcha" (that includes the site key)
  5. Replace a div's class: from "g-recaptcha" to "h-captcha"
  6. Google is passing back "g-recaptcha-response" param, while hCaptcha is returning "h-captcha-response". So, use that param to validate results and the newly configured secret key.

That's all.

What is more, when people solve captchas on your website, you are supposed to earn some crypto coins - HMT (The HUMAN Tokenยฎ). To be honest, I hadn't heard about it and couldn't find much info about it apart from what's on hcaptcha's website. What I found was references to some other token "Hamster Marketplace Token" :D. Anyways, I guess we are not in it for the crypto tokens. Although, I can imagine that if you run a very busy website, it could add up ๐Ÿคทโ€โ™‚๏ธ. You also have the option to donate all your earnings from people solving captchas to Wikimedia foundation, which is an honourable. I guess many people will do that.

To summarise the process of migrating from reCaptcha to hCaptha:

  1. ๐Ÿ‘Œ It's super easy, straightforward and shouldn't take you more than 20-40 minutes
  2. ๐Ÿ‘ You are feeding less data to Google
  3. ๐Ÿ’ธ You earn crypto/money (I have no idea what's the potential though)

My advice: go for it!

p.s. as another means to spread hCaptcha, I will be featuring and promoting it on one of my other websites - SaaSHub
p.p.s. you can find more reCaptcha Alternatives on SaaSHub

Posted on by:

stanbright profile

Stan Bright

@stanbright

Founder of SaaSHub & LibHunt. Having more ideas than time. Ruby on Rails enthusiast. ๐Ÿฅ‘๐Ÿ‘‰๐Ÿž p.s. Sweet dreams are made of hard work. Who am I to disagree?

Discussion

pic
Editor guide
 

Okay... so I get not wanting to rely on just one provider of captcha... but your points #2 and #3 go against each other.

If you're worried about giving one organization your data, then you should worry about giving it to ANY organization. And so, why do you think they are offering money? Because that's incentive to give them your data.

So I get being interested in alternatives, I'm not knocking you for that. But you might want to make things a bit more pragmatic and less tin-foil-hatty ;)

 

Technical John, did you spend the time to read their business model?

They are not giving you "money" exactly. They are giving you some crypto tokens :).

OK, as far as I'm aware, they are not selling analytical data. What they are selling is "micro human tasks". For example, you are a business and need some data categorized or images labeled by real humans. You can reach out to hCaptch and use "their services" to get the work done. The work is done by people solving captchas.

As I can see it, they are offering free captcha service, they are not selling user data but rather "user work", and they give you a share of the money they are making. It seems like a fair deal. I might be missing something though.

 

I understand that they are different from Google. I'm just providing a little criticism that I hope can be taken in a constructive manner.

Boil down both companies to a generic statement, and they are both using you for their own benefit, while providing a service as well as a bonus incentive from one of them.

Now, is one more acceptable than the other? Depends on your opinion really. So my suggestion is to consider less "bad vs good" and focus on YOUR reasons, and YOUR success.

I definitely appreciated you sharing your opinion on the service, as well as the run through on how easy it is to switch!

 

Amen :)

One thing i wish they did is what G is doing with loading - browser loads synchronously only a small js that is loading async the big script. It should impact performance in a positive way.

 
 

I didn't knew it. Thank you! will begin using defer on head scripts.

Well, thats not what i wrote, but thats true (and helpful) as well :)

 

Hello, I read this article yesterday and today I've pushed the first hcaptcha middleware for Go developers at: github.com/kataras/hcaptcha, feel free to use and contribute!

 

The website where the hcaptcha assets are hosted does not resolve over IPv6 though. How sad is that? :(

 

Ok. It seems they are already aware of this issue.
twitter.com/hCaptcha/status/124995...

 

hCatcha is one of the promising dApps to go into quasi production . The Human token and hCaptcha is an initiative of "The Human Protocol" [hmt.ai/]