Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
CAPTCHA is a security challenge that protects web forms from automated bots, spam submissions, and credential stuffing attacks.
Power Pages includes a built-in CAPTCHA control by default powered by Telerik and supports replacing it with any third-party CAPTCHA service. Custom CAPTCHA providers let you replace Power Pages' default image-based challenge with modern, accessible solutions from leading vendors. This enables consistent branding, compliance with regional requirements, invisible user experiences, and alignment with your organization's security standards.
The custom CAPTCHA applies to all Power Pages form surfaces that support CAPTCHA.
Prerequisites
Before configuring a custom CAPTCHA provider, ensure you have the following items:
- An account with a third-party CAPTCHA provider. Supported providers include any service that:
- Provides a client-side JavaScript widget that injects a hidden form field with a response token.
- Provides a server-side HTTPS verification endpoint that accepts a
POSTrequest withsecret,response, and optionallyremoteipparameters, and returns a JSON response with a"success"boolean field.
- A site key and a secret key from your chosen CAPTCHA provider.
- The Power Pages server must be able to reach the provider's HTTPS verification endpoint.
Configure a custom CAPTCHA provider
Step 1: Obtain keys from your CAPTCHA provider
Register with your chosen CAPTCHA provider and collect the following values:
| Value | Description |
|---|---|
| Site key | Public key embedded in the widget HTML. Safe to expose in page source. |
| Secret key | Private key for server-side verification. Never expose client-side. |
| Client script URL | The HTTPS URL of the provider's JavaScript SDK. |
| Verification endpoint URL | The HTTPS URL the portal POSTs the response token to. |
| Response field name | Name of the hidden form field the widget injects with the token. |
Most providers have a developer console where you can register your portal domain and download these keys. For testing during setup, check whether your provider offers test keys that always pass or always fail, so you can verify the configuration without needing real user interaction.
Step 2: Configure site settings
- In your Power Platform environment, open Portal Management.
- Under Website, select Site Settings.
- Create or update the following site settings. Use the exact setting names shown.
Provider selection
| Site Setting | Type | Required | Description |
|---|---|---|---|
Captcha/Provider |
String | No | Set to custom to enable a third-party CAPTCHA provider. The comparison is case-insensitive (Custom, CUSTOM, and custom all work). Any other value, or leaving this setting absent, uses the default built-in CAPTCHA. |
Note
To revert to the built-in CAPTCHA, delete the Captcha/Provider site setting or set it to any value other than custom, then clear the portal cache. The portal automatically returns to using the default built-in CAPTCHA. Existing Captcha/Custom/* settings are ignored and can remain in place.
Custom provider settings
The portal reads these settings only when you set Captcha/Provider to custom.
| Site Setting | Type | Required | Description |
|---|---|---|---|
Captcha/Custom/WidgetHtml |
HTML | Yes | The HTML snippet that renders the CAPTCHA widget on the form. Must include the provider's required attributes such as data-sitekey. Example : <div class="captcha" data-sitekey="YOUR_SITE_KEY"></div> |
Captcha/Custom/ClientScriptUrl |
URL | Recommended | The HTTPS URL of the third-party CAPTCHA SDK script to load on the page. Must use HTTPS. HTTP and malformed URLs are rejected. If omitted, no external script is registered. |
Captcha/Custom/ValidationEndpoint |
URL | Yes | The HTTPS verification endpoint URL. The portal POSTs the response token to this URL for server-side validation. Must use HTTPS. |
Captcha/Custom/ValidationSecretKey |
String | Yes | Your secret key from the CAPTCHA provider, used for server-to-server verification. This value is never sent to the browser. |
Captcha/Custom/ResponseFieldName |
String | Yes | The name of the hidden form field that the CAPTCHA widget automatically injects with the response token after a visitor completes the challenge. |
Captcha/Custom/ErrorMessage |
String | No | The error message displayed when CAPTCHA validation fails. If empty or missing, the portal uses its default CAPTCHA error message. |
Important
The portal renders the Captcha/Custom/WidgetHtml and Captcha/Custom/ClientScriptUrl values directly on the page. Only portal administrators with Dataverse write access can modify site settings. Don't enter user-supplied or untrusted values in these fields.
Step 3: Update Content Security Policy (if applicable)
If your site enforces Content Security Policy, add the CAPTCHA provider's domain to the relevant directives:
- Add the provider's script domain to
script-src. - Add the provider's domain to
frame-srcif the widget loads in an iframe. - Add image and style domains to
img-srcandstyle-srcas needed.
Without these entries, the browser blocks the CAPTCHA script and widget from loading.