reCAPTCHA
GitLab leverages reCAPTCHA to protect against spam and abuse. GitLab displays the CAPTCHA form on the sign-up page to confirm that a real user, not a bot, is attempting to create an account.
Configuration
To use reCAPTCHA, first create a site and private key.
- Go to the Google reCAPTCHA page.
- To get reCAPTCHA v2 keys, fill in the form and select Submit.
- Sign in to your GitLab server as an administrator.
- On the left sidebar, at the bottom, select Admin Area.
- Select Settings > Reporting.
- Expand Spam and Anti-bot Protection.
- In the reCAPTCHA fields, enter the keys you obtained in the previous steps.
- Select the Enable reCAPTCHA checkbox.
- To enable reCAPTCHA for logins via password, select the Enable reCAPTCHA for login checkbox.
- Select Save changes.
- To short-circuit the spam check and trigger the response to return
recaptcha_html
:- Open
app/services/spam/spam_verdict_service.rb
. - Change the first line of the
#execute
method toreturn CONDITIONAL_ALLOW
.
- Open
Enable reCAPTCHA for user logins using the HTTP header
You can enable reCAPTCHA for user logins via password in the user interface
or by setting the X-GitLab-Show-Login-Captcha
HTTP header.
For example, in NGINX, this can be done via the proxy_set_header
configuration variable:
proxy_set_header X-GitLab-Show-Login-Captcha 1;
In Omnibus GitLab, this can be configured via /etc/gitlab/gitlab.rb
:
nginx['proxy_set_headers'] = { 'X-GitLab-Show-Login-Captcha' => '1' }