Forum Discussion

Altocumulus

Aug 15, 2023

captcha not show after enable header security

I have a problem when i enable header security link article https://my.f5.com/manage/s/article/K57207881 But captcha not show How to check this problem

application delivery

Amine_Kadimi

Aug 21, 2023

You need then to allow google recaptcha URLs. Something like that:

if {!([HTTP::header exists "Content-Security-Policy"])} {
       HTTP::header insert Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; upgrade-insecure-requests"
}

Frequently Asked Questions | reCAPTCHA | Google for Developers

Amine_Kadimi

MVP

What exact captcha are you referring to?

What is the security headers configuration you've implemented?

Anzine321

Altocumulus

Aug 17, 2023

the format that i inspect png, and image broken

i removed this rule and the captcha show again, i dont know what exactly should i modify this parameter

if {!([HTTP::header exists "Content-Security-Policy"])} {
HTTP::header insert Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'; upgrade-insecure-requests"

Thanks

Amine_Kadimi
MVP
Aug 18, 2023
You didn't mention what kind of captcha you are using (recaptcha, hcaptcha, self made captcha ...). If this is an external service (hCaptcha, reCaptcha) you will have to tweak you rules a little bit.
- Anzine321
  Altocumulus
  Aug 21, 2023
  reCaptcha by google developer, i dont know how to modify irule, do you have any suggestion or reference ?
  Thanks
  - Amine_Kadimi
    MVP
    Aug 21, 2023
    You need then to allow google recaptcha URLs. Something like that:
    
    if {!([HTTP::header exists "Content-Security-Policy"])} { HTTP::header insert Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; upgrade-insecure-requests" }
    
    Frequently Asked Questions | reCAPTCHA | Google for Developers

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

captcha not show after enable header security

Recent Discussions

Problem with lets encrypt and redirect after update

Should config via cli rather than gui?

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

question about getting hsl data to be formatted properly in splunk

iRule for client certificate verification and inserting CN

Related Content

OWASP Automated Threats - CAPTCHA Defeat (OAT-009)

F5 Security Podcasts

Adaptive Apps: Replicate & deploy WAF application security policies across F5's security portfolio

Auditing Security Policy Updates

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS