Domain validation
When creating a CAPTCHA, a list of domains is specified it will be hosted on. By default, SmartCaptcha validates domain names and allows using the CAPTCHA only on websites that are on the list.
You can disable domain validation, but this poses a high security risk: the CAPTCHA can be added to any website and anyone can use your key. In this case, you should perform domain validation on your own server yourself. Disabling validation may be useful if the list of domains is too long, frequently updated, or unknown.
To disable domain validation when creating or editing a CAPTCHA, enable the Disable domain check option.
If domain validation is off, check the host
field value in the service response and reject any results you get from unknown sources.
In some cases, the service may return an empty value in the host
field:
- The cloud is blocked. If so, the service returns
"status": "ok"
even in response to bot queries. - SmartCaptcha could not identify the website name due to an internal failure. In this case, the empty
host
can be treated as a trusted one.