reCAPTCHA
GitLab leverages Google’s reCAPTCHA to protect against spam and abuse. GitLab displays the CAPTCHA form on the sign-up page to confirm that a real user, not a bot, is attempting to create an account.
Configuration
To use reCAPTCHA, first you must create a site and private key.
- Go to the Google reCAPTCHA page.
- Fill out the form necessary to obtain reCAPTCHA v2 keys.
- Log in to your GitLab server, with administrator credentials.
- Go to Reporting Applications Settings in the Admin Area (
admin/application_settings/reporting
). - Fill all reCAPTCHA fields with keys from previous steps.
- Check the
Enable reCAPTCHA
checkbox. - Save the configuration.
- Change the first line of the
#execute
method inapp/services/spam/spam_verdict_service.rb
toreturn CONDITONAL_ALLOW
so that the spam check short-circuits and triggers the response to returnrecaptcha_html
.
Make sure you are viewing an issuable in a project that is public. If you’re working with an issue, the issue is public.
Enabling reCAPTCHA for user logins via passwords
By default, reCAPTCHA is only enabled for user registrations. To enable it for
user logins via passwords, the X-GitLab-Show-Login-Captcha
HTTP header must
be set. For example, in NGINX, this can be done via the proxy_set_header
configuration variable:
proxy_set_header X-GitLab-Show-Login-Captcha 1;
In Omnibus GitLab, this can be configured via /etc/gitlab/gitlab.rb
:
nginx['proxy_set_headers'] = { 'X-GitLab-Show-Login-Captcha' => '1' }