DEV Community

Cover image for Cloudflare replaced reCAPTCHA with hCaptcha. I followed their example. It took me 18 min.
Stan Bright
Stan Bright

Posted on

Cloudflare replaced reCAPTCHA with hCaptcha. I followed their example. It took me 18 min.

Cloudflare announced yesterday that they are moving away from Google's reCAPTCHA in favour of hCaptcha. In my opinion, that is huge! Given the amount of traffic transiting through CloudFlare. That has cut some significant level of vision from Google's all-seeing and tracking eye. Moreover, they are giving a good example for others to follow.

I'd be happy to be amongst their first followers ▶.

Immediately after reading their article, I set my next to-do: "Replace Google's reCAPTCHA with hCaptcha on LibHunt". For those that don't know, LibHunt is a small network of websites (e.g. ruby.libhunt.com) focussed on different programming languages and tech in general. One of the features is allowing people to share links to their blog-posts (e.g. this one). All good, but historically, I have had a lot of issues with SPAM and dealing with it. Of course, one of the measures I've implemented is including a "captcha" - and more specifically, Google's reCAPTCHA. That has helped. However, I've always been a bit sceptical in pouring even more data into Google's hands. That's also why I didn't implement reCAPTCHA v3 (which is expected to be installed side-wide 🙀) but stayed with the older v2. (please, let's not involve Google Analytics now, I'd be happy to replace that too, but I can't as of now).

I also decided to note down the process so that I can share my experience. Well, it was easier and more straight-forward than I expected. It took me about 18 mins altogether. ~3 min reg + browsing around; ~10 min reading the docs and replacing "recaptcha" code and configs with "hcaptcha". ~5 min manually testing. There weren't any unexpected bits. It is almost a direct replacements. Literally. All the methods and functions are the same. You have to update your configs, a few param names and some links only.

These are all the essential changes:

  1. Update your site and secret keys
  2. Post data to https://hcaptcha.com/siteverify instead of to https://www.google.com/recaptcha/api/siteverify
  3. Load scripts from https://hcaptcha.com/1/api.js instead of https://www.google.com/recaptcha/api.js
  4. Replace "g-recaptcha" div with "h-captcha" (that includes the site key)
  5. Replace a div's class: from "g-recaptcha" to "h-captcha"
  6. Google is passing back "g-recaptcha-response" param, while hCaptcha is returning "h-captcha-response". So, use that param to validate results and the newly configured secret key.

That's all.

What is more, when people solve captchas on your website, you are supposed to earn some crypto coins - HMT (The HUMAN Token®). To be honest, I hadn't heard about it and couldn't find much info about it apart from what's on hcaptcha's website. What I found was references to some other token "Hamster Marketplace Token" :D. Anyways, I guess we are not in it for the crypto tokens. Although, I can imagine that if you run a very busy website, it could add up 🤷‍♂️. You also have the option to donate all your earnings from people solving captchas to Wikimedia foundation, which is an honourable. I guess many people will do that.

To summarise the process of migrating from reCaptcha to hCaptha:

  1. 👌 It's super easy, straightforward and shouldn't take you more than 20-40 minutes
  2. 👁 You are feeding less data to Google
  3. 💸 You earn crypto/money (I have no idea what's the potential though)

My advice: go for it!

p.s. as another means to spread hCaptcha, I will be featuring and promoting it on one of my other websites - SaaSHub
p.p.s. you can find more reCaptcha Alternatives on SaaSHub

Top comments (13)

Collapse
 
technicaljohn profile image
John Holcomb

Okay... so I get not wanting to rely on just one provider of captcha... but your points #2 and #3 go against each other.

If you're worried about giving one organization your data, then you should worry about giving it to ANY organization. And so, why do you think they are offering money? Because that's incentive to give them your data.

So I get being interested in alternatives, I'm not knocking you for that. But you might want to make things a bit more pragmatic and less tin-foil-hatty ;)

Collapse
 
stanbright profile image
Stan Bright

Technical John, did you spend the time to read their business model?

They are not giving you "money" exactly. They are giving you some crypto tokens :).

OK, as far as I'm aware, they are not selling analytical data. What they are selling is "micro human tasks". For example, you are a business and need some data categorized or images labeled by real humans. You can reach out to hCaptch and use "their services" to get the work done. The work is done by people solving captchas.

As I can see it, they are offering free captcha service, they are not selling user data but rather "user work", and they give you a share of the money they are making. It seems like a fair deal. I might be missing something though.

Collapse
 
technicaljohn profile image
John Holcomb

I understand that they are different from Google. I'm just providing a little criticism that I hope can be taken in a constructive manner.

Boil down both companies to a generic statement, and they are both using you for their own benefit, while providing a service as well as a bonus incentive from one of them.

Now, is one more acceptable than the other? Depends on your opinion really. So my suggestion is to consider less "bad vs good" and focus on YOUR reasons, and YOUR success.

I definitely appreciated you sharing your opinion on the service, as well as the run through on how easy it is to switch!

Collapse
 
pavelloz profile image
Paweł Kowalski • Edited

Amen :)

One thing i wish they did is what G is doing with loading - browser loads synchronously only a small js that is loading async the big script. It should impact performance in a positive way.

Collapse
 
mburszley profile image
Maximilian Burszley

Change your script tag attributes: flaviocopes.com/javascript-async-d...

Collapse
 
shjordan profile image
Jordan Humberto de Souza

I didn't knew it. Thank you! will begin using defer on head scripts.

Thread Thread
 
pavelloz profile image
Paweł Kowalski

Well, thats not what i wrote, but thats true (and helpful) as well :)

Collapse
 
slidenerd profile image
slidenerd

hcaptcha is the most user UNFRIENDLY captcha i have come across in recent times, have you actually sat and solved their puzzle? i did like 10 of them before deciding google recaptcha was waay more user friendly, also your point of giving data to google doesnt makes sense, you are giving data one way or the other to some organization, this argument of yours got no reason

Collapse
 
lamka02sk profile image
lamka02sk

I am very happy with the change. If you use Firefox and have anti-tracking addons installed, with reCaptcha, you either fail, or you have to pass their challenges like 10+ times in order to really pass. No, thanks.

Collapse
 
kataras profile image
Gerasimos (Makis) Maropoulos

Hello, I read this article yesterday and today I've pushed the first hcaptcha middleware for Go developers at: github.com/kataras/hcaptcha, feel free to use and contribute!

Collapse
 
indcoder profile image
Augustine Correa

hCatcha is one of the promising dApps to go into quasi production . The Human token and hCaptcha is an initiative of "The Human Protocol" [hmt.ai/]

Collapse
 
wget profile image
William Gathoye

The website where the hcaptcha assets are hosted does not resolve over IPv6 though. How sad is that? :(

Collapse
 
wget profile image
William Gathoye

Ok. It seems they are already aware of this issue.
twitter.com/hCaptcha/status/124995...