reCAPTCHA (Invisible reCAPTCHA)

All Formstack forms have behind-the-scenes technology in place to help prevent spam. However, for additional protection, you may consider enabling reCAPTCHA, a security feature available on all paid accounts. By enabling reCAPTCHA you will be adding another layer of protection to your forms to help thwart would-be spammers.


reCAPTCHA is a free service that will help protect your forms from spam and abuse submissions. It works behind the scenes to help determine if an end-user is actually a human being or a bot. If reCAPTCHA thinks an end-user is a bot, it'll require the end-user to solve a challenge.



You can enable reCAPTCHA on your form by going to the Build tab, clicking 'Form Extras' along the top, then toggling on 'Invisible reCAPTCHA'. The reCAPTCHA will be placed at the bottom of your form.

 Note: Using Invisible reCAPTCHA can decrease the accessibility of your form according to WCAG and Section 508 guidelines.


Verify Domains (for embedded forms)

For reCAPTCHA to work properly on embedded forms, you'll need to include the domains on which you're embedding forms. This is because the authentication of reCAPTCHA is dependent on the domain.

When reCAPTCHA is set up out in the wild, the process involves telling Google what domain you have that is allowed to use reCAPTCHA. So in order to perform that same function (telling Google where reCAPTCHA is allowed), you have to set up your allowed domains within Formstack so that we can tell reCAPTCHA the domain is allowed. The setup of your allowed domains is on a per form basis. Your level of user and form permissions on the Formstack account also come into play here.

How to Upgrade All Your Forms (account admins only)

You can update the domain for all forms in the account ONLY if you're an account Admin. Only account Admin users can change account-level domains. Permissions to edit allowed domains are in line with the permission levels of the account.

An account Admin is, and should be, able to edit account-wide domains and any form-level domains for the entire account. These account-level domains are restricted from non-account Admins. However, any user with form permissions can change form-level domains for reCAPTCHA. 

To add an account-level domain, open the link under the reCAPTCHA setting in Form Extras for your form that says "add your domains." A lightbox will appear giving you the option to add account-level domains and/or form-level domains. Place your domains in the account-level box, listing one per line. (List these without the leading "https://www.")

These will be the allowed domains reCAPTCHA will authenticate and will allow reCAPTCHA to work correctly when embedded on these domains.



How to Upgrade a Single Form (account admins or form admins)

Account Admins can add account-wide domains as well as form-specific domains. A Form Admin can only add a form-specific domain for reCAPTCHA.




Accessibility Shortcomings

As mentioned above, Invisible reCAPTCHA can decrease the accessibility of your form according to WCAG and Section 508 guidelines. View our page on WCAG and 508 Compliance. 

Most users don't have to worry about WCAG and 508 compliance, but if you do, we have a trick you can use instead of reCAPTCHA.

You can make a field on your form that requires a specific answer which the end-user has to complete correctly. In the example below, we've added a field that asks the end-user to calculate a numeric value and input the value in the field. Since we've set the min and max values to match very near the correct answer, this will force the correct value to be input before the form can be submitted.

Min/max settings can not be the same number. So if the target value is “4” please set min to 3.9 and set max to 4.1. Also please set the decimal setting to “1” -- see example shown below.





Was this article helpful?
15 out of 22 found this helpful