reCAPTCHA
GitLab leverages Google’s reCAPTCHA to protect against spam and abuse. GitLab displays the CAPTCHA form on the sign-up page to confirm that a real user, not a bot, is attempting to create an account.
Configuration
To use reCAPTCHA, first create a site and private key.
- Go to the Google reCAPTCHA page.
- To get reCAPTCHA v2 keys, fill in the form and select Submit.
- Sign in to your GitLab server as an administrator.
- On the top bar, select Main menu > Admin.
- On the left sidebar, select Settings > Reporting (
admin/application_settings/reporting
). - Expand Spam and Anti-bot Protection.
- In the reCAPTCHA fields, enter the keys you obtained in the previous steps.
- Select the Enable reCAPTCHA checkbox.
- To enable reCAPTCHA for logins via password, select the Enable reCAPTCHA for login checkbox.
- Select Save changes.
- To short-circuit the spam check and trigger the response to return
recaptcha_html
:- Open
app/services/spam/spam_verdict_service.rb
. - Change the first line of the
#execute
method toreturn CONDITIONAL_ALLOW
.
- Open
Make sure you are viewing an issuable in a project that is public. If you’re working with an issue, the issue is public.
Enable reCAPTCHA for user logins using the HTTP header
You can enable reCAPTCHA for user logins via password in the user interface
or by setting the X-GitLab-Show-Login-Captcha
HTTP header.
For example, in NGINX, this can be done via the proxy_set_header
configuration variable:
proxy_set_header X-GitLab-Show-Login-Captcha 1;
In Omnibus GitLab, this can be configured via /etc/gitlab/gitlab.rb
:
nginx['proxy_set_headers'] = { 'X-GitLab-Show-Login-Captcha' => '1' }