CAPTCHA Security Rules

Here you can find out everything you need to know about the security settings of the CAPTCHA.

You can view your website key, secret key, and, if applicable, your license key. These provide access to all services, features, and CAPTCHA results.

The CAPTCHA can only be used on websites whose domain or IP address you have explicitly authorized. This prevents unauthorized third parties from using your CAPTCHA on other websites, which could result in unwanted costs for you.

You can specify any valid domain (e.g., example.com) or subdomain (e.g., www.example.com) as an authorized domain. IPv4 addresses (e.g., 1.2.3.4), IPv6 addresses (e.g., 2001:aaa::1), or localhost are also supported.

The duration of the CAPTCHA largely depends on the difficulty of the Proof-of-Work tasks. The more frequently a user solves the CAPTCHA within a short period, the harder the tasks become and the longer the CAPTCHA lasts. This aims to slow down potential attackers and make bot attacks resource-intensive and unattractive.

You can use the slider to adjust the difficulty level and the suggested duration. Move the slider to the left to reduce difficulty and duration by up to 50% (faster). Alternatively, move the slider to the right to increase duration and security by up to 50% (safer).

By default, a CAPTCHA verification result can be retrieved from our servers exactly once within 15 minutes using the verification token. Higher price plans allow you to adjust the time period and number at your own risk.

In this mode, our servers store and process only the minimal necessary data. For technical reasons, no Bot Score can be calculated, so it will always return 0 (human). The functionality of Proof-of-Work remains unaffected. Please activate this mode in the respective TrustCaptcha components in your frontend to ensure no data is transmitted to us.

Note: We do not recommend this mode, as the omission of the Bot Score significantly reduces the security of our CAPTCHA.

The Allow-List and Block-List provide the ability to either always allow clients with specific IP addresses (Allow-List) or consistently reject them (Block-List).

Allow-List: Clients whose IP addresses match those listed in the Allow-List will automatically pass the CAPTCHA. They do not need to solve Proof-of-Work tasks and always receive a Bot Score of 0 (human). This allows them to bypass the CAPTCHA quickly and without restrictions.

Block-List: Clients whose IP addresses match those listed in the Block-List are consistently rejected. They receive a particularly difficult Proof-of-Work task and subsequently a Bot Score of 1 (bot), resulting in their rejection.

Notation: All IP addresses, whether IPv4 or IPv6, can be specified as individual addresses or entire ranges using CIDR notation. Examples for IPv4 include 1.2.3.4/32 (single address) or 100.200.0.0/16 (range). Examples for IPv6 include 2001:aaa::1/128 (single address) or 2001:bbb::/64 (range). If no subnet mask is provided, /32 is automatically added for IPv4 and /128 for IPv6.

Allow-List Before Block-List: Note that entries in the Allow-List take precedence over entries in the Block-List. If the same IP address or range appears in both lists, the Allow-List will apply. Additionally, you can block entire IP ranges in the Block-List and define exceptions for specific IP addresses in the Allow-List that would otherwise be blocked.

Geoblocking allows you to allow or block clients based on the geographic location of their IP addresses.

Modes: Geoblocking offers two modes. In Block-List mode, only requests from specific countries selected by you are blocked. In Allow-List mode, all requests are rejected by default except those from countries you explicitly allow.

Note: Occasionally, entire IP ranges may be reassigned to different geographic regions, which can take some time for our systems to update. Additionally, clients may use technical methods like VPNs or proxies to simulate a different geographic location, attempting to bypass geoblocking.

Bypass Keys allow clients to skip CAPTCHA verification.

Functionality and Use: Bypass Keys can be specified in the frontend. Clients providing a valid Bypass Key when solving a CAPTCHA will automatically pass. They do not need to solve Proof-of-Work tasks and always receive a Bot Score of 0 (human). This feature is ideal for automated software and system testing or automated tasks. It is especially useful for clients that lack fixed IP addresses or ranges, making the IP Allow-List unsuitable.