Edit

Configure a custom CAPTCHA provider in Power Pages

CAPTCHA is a security challenge that protects web forms from automated bots, spam submissions, and credential stuffing attacks.

Power Pages includes a built-in CAPTCHA control by default powered by Telerik and supports replacing it with any third-party CAPTCHA service. Custom CAPTCHA providers let you replace Power Pages' default image-based challenge with modern, accessible solutions from leading vendors. This enables consistent branding, compliance with regional requirements, invisible user experiences, and alignment with your organization's security standards.

The custom CAPTCHA applies to all Power Pages form surfaces that support CAPTCHA.

Prerequisites

Before configuring a custom CAPTCHA provider, ensure you have the following items:

  • An account with a third-party CAPTCHA provider. Supported providers include any service that:
    • Provides a client-side JavaScript widget that injects a hidden form field with a response token.
    • Provides a server-side HTTPS verification endpoint that accepts a POST request with secret, response, and optionally remoteip parameters, and returns a JSON response with a "success" boolean field.
  • A site key and a secret key from your chosen CAPTCHA provider.
  • The Power Pages server must be able to reach the provider's HTTPS verification endpoint.

Configure a custom CAPTCHA provider

Step 1: Obtain keys from your CAPTCHA provider

Register with your chosen CAPTCHA provider and collect the following values:

Value Description
Site key Public key embedded in the widget HTML. Safe to expose in page source.
Secret key Private key for server-side verification. Never expose client-side.
Client script URL The HTTPS URL of the provider's JavaScript SDK.
Verification endpoint URL The HTTPS URL the portal POSTs the response token to.
Response field name Name of the hidden form field the widget injects with the token.

Most providers have a developer console where you can register your portal domain and download these keys. For testing during setup, check whether your provider offers test keys that always pass or always fail, so you can verify the configuration without needing real user interaction.

Step 2: Configure site settings

  1. In your Power Platform environment, open Portal Management.
  2. Under Website, select Site Settings.
  3. Create or update the following site settings. Use the exact setting names shown.

Provider selection

Site Setting Type Required Description
Captcha/Provider String No Set to custom to enable a third-party CAPTCHA provider. The comparison is case-insensitive (Custom, CUSTOM, and custom all work). Any other value, or leaving this setting absent, uses the default built-in CAPTCHA.

Note

To revert to the built-in CAPTCHA, delete the Captcha/Provider site setting or set it to any value other than custom, then clear the portal cache. The portal automatically returns to using the default built-in CAPTCHA. Existing Captcha/Custom/* settings are ignored and can remain in place.

Custom provider settings

The portal reads these settings only when you set Captcha/Provider to custom.

Site Setting Type Required Description
Captcha/Custom/WidgetHtml HTML Yes The HTML snippet that renders the CAPTCHA widget on the form. Must include the provider's required attributes such as data-sitekey. Example : <div class="captcha" data-sitekey="YOUR_SITE_KEY"></div>
Captcha/Custom/ClientScriptUrl URL Recommended The HTTPS URL of the third-party CAPTCHA SDK script to load on the page. Must use HTTPS. HTTP and malformed URLs are rejected. If omitted, no external script is registered.
Captcha/Custom/ValidationEndpoint URL Yes The HTTPS verification endpoint URL. The portal POSTs the response token to this URL for server-side validation. Must use HTTPS.
Captcha/Custom/ValidationSecretKey String Yes Your secret key from the CAPTCHA provider, used for server-to-server verification. This value is never sent to the browser.
Captcha/Custom/ResponseFieldName String Yes The name of the hidden form field that the CAPTCHA widget automatically injects with the response token after a visitor completes the challenge.
Captcha/Custom/ErrorMessage String No The error message displayed when CAPTCHA validation fails. If empty or missing, the portal uses its default CAPTCHA error message.

Important

The portal renders the Captcha/Custom/WidgetHtml and Captcha/Custom/ClientScriptUrl values directly on the page. Only portal administrators with Dataverse write access can modify site settings. Don't enter user-supplied or untrusted values in these fields.

Step 3: Update Content Security Policy (if applicable)

If your site enforces Content Security Policy, add the CAPTCHA provider's domain to the relevant directives:

  • Add the provider's script domain to script-src.
  • Add the provider's domain to frame-src if the widget loads in an iframe.
  • Add image and style domains to img-src and style-src as needed.

Without these entries, the browser blocks the CAPTCHA script and widget from loading.