Forum Discussion

Anzine321's avatar
Anzine321
Icon for Altocumulus rankAltocumulus
Aug 15, 2023

captcha not show after enable header security

I have a problem when i enable header security link article https://my.f5.com/manage/s/article/K57207881 But captcha not show    How to check this problem
application delivery
  • Amine_Kadimi's avatar
    Amine_Kadimi
    Aug 21, 2023

    You need then to allow google recaptcha URLs. Something like that:

     

    if {!([HTTP::header exists "Content-Security-Policy"])} {
       HTTP::header insert Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; upgrade-insecure-requests"
}

     

    Frequently Asked Questions  |  reCAPTCHA  |  Google for Developers

Amine_Kadimi's avatar
Amine_Kadimi
Icon for MVP rankMVP

What exact captcha are you referring to?

What is the security headers configuration you've implemented?

Anzine321's avatar
Anzine321
Icon for Altocumulus rankAltocumulus
Aug 17, 2023

the format that i inspect png, and image broken 

i removed this rule and the captcha show again, i dont know what exactly should i modify this parameter

if {!([HTTP::header exists "Content-Security-Policy"])} {
       HTTP::header insert Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'; upgrade-insecure-requests"

Thanks

 

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Aug 18, 2023

    You didn't mention what kind of captcha you are using (recaptcha, hcaptcha, self made captcha ...). If this is an external service (hCaptcha, reCaptcha) you will have to tweak you rules a little bit.

    • Anzine321's avatar
      Anzine321
      Icon for Altocumulus rankAltocumulus
      Aug 21, 2023

       reCaptcha by google developer, i dont know how to modify irule, do you have any suggestion or reference ?

      Thanks

      • Amine_Kadimi's avatar
        Amine_Kadimi
        Icon for MVP rankMVP
        Aug 21, 2023

        You need then to allow google recaptcha URLs. Something like that:

         

        if {!([HTTP::header exists "Content-Security-Policy"])} {
       HTTP::header insert Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; upgrade-insecure-requests"
}

         

        Frequently Asked Questions  |  reCAPTCHA  |  Google for Developers