434

I'm developing a website using PHP and I want to make a human verification in one of the sessions. For the development, I'm initially running the system locally and when it is ready, I'm going to put it on some domain.

In the reCAPTCHA website it is said that the plugin will only work at the given domain (and subdomains).

Is there a way to use the reCAPTCHA plugin on a localhost?

1
  • 1
    Clear cookies if you added localhost after the fact.
    – Mike Flynn
    Commented Feb 4, 2017 at 20:02

26 Answers 26

Reset to default
480

Update

The original answer is no longer correct. The developer's guide now states:

"If you would like to use "localhost" for development, you must add it to the list of domains."

This will only work if you access localhost using 127.0.0.1/... rather than localhost/....

The original answer is preserved below.

According to the reCAPTCHA Developer's Guide:

"localhost domains are no longer supported by default. If you wish to continue supporting them for development you can add them to the list of supported domains for your site key. Go to the admin console to update your list of supported domains. We advise to use a separate key for development and production and to not allow localhost on your production site key."

In other words, simply use the same key.

16
  • 10
    I checked to confirm whether the words were on that page. It was gone! In 2015, you can find the above quote @ developers.google.com/recaptcha/docs/start
    – Joshua Plicque
    Commented Jan 14, 2015 at 20:10
  • 15
    This answer is accurate, but there's an important caveat that stumped me: When migrating from reCAPTCHA v1 to v2, it is necessary to regenerate the API keys in order for this message to disappear. Further, and equally important, if you're like me and you setup test domains in your local/development environment by placing entries into the operating system's "hosts" file, you will need to add those "fake" domains to the allowed domains for the reCAPTCHA account in question to resolve the "ERROR: Invalid domain for site key" error.
    – Ben Johnson
    Commented Jul 8, 2015 at 0:29
  • 6
    When your localhost isn't named "localhost" then it's not working.
    – Hexodus
    Commented Feb 19, 2016 at 7:06
  • 14
    Google seems to have removed the ability to test on localhost.
    – IrishChieftain
    Commented Aug 8, 2016 at 17:59
  • 7
    while localhost did not work for me I was able to use both 127.0.0.1 and also a *.xip.io address.
    – davidbates
    Commented Nov 1, 2016 at 16:05
195

This worked for me:

Extracted from the reCAPTCHA documentation:

With the following test keys, you will always get No CAPTCHA and all verification requests will pass.

Site key: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI

Secret key: 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe

The reCAPTCHA widget will show a warning message to claim that it's only for testing purpose. Please do not use these keys for your production traffic.

6
  • 1
    If this stops working, I'll switch to Automattic's solution. Your solution here is the only thing keeping me from dropping this annoying technology.
    – Jay Brunet
    Commented Aug 28, 2019 at 17:34
  • 1
    this seems to be the "right answer" as it keeps your dev environment distinct from your prod environment.
    – ChronoFish
    Commented Feb 20, 2020 at 13:45
  • 8
    Looks like those keys are out of date. The link redirects to an FAQ that gives updated keys: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI and 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe.
    – Adam Zerner
    Commented Mar 5, 2021 at 0:11
  • 4
    Note also that these are for reCAPTCHA v2, not reCAPTCHA v3. The FAQ recommends you make your own seperate keypair for testing against v3.
    – nikobelia
    Commented Apr 28, 2021 at 14:48
  • 1
    It does not make sense to use these keys if you have a Google account. Just go to google.com/recaptcha/admin, choose create and register both localhost and 127.0.0.1 The key pair is specific to your localhost, so you don't depend on the registration of somebody else 'localhost'.
    – RWC
    Commented Sep 3, 2022 at 15:20
115

Please note that as of 2016, reCAPTCHA doesn't natively support localhost anymore. From the FAQ:

Localhost domains are no longer supported by default. If you wish to continue supporting them for development you can add them to the list of supported domains for your site key. Go to the admin console to update your list of supported domains. We advise to use a separate key for development and production and to not allow localhost on your production site key.

Just add localhost to your list of domains for your site and you'll be good.

4
  • 16
    I added localhost but still getting error "Localhost is not is the list of supported domains for this site key."
    – aadi1295
    Commented Aug 2, 2016 at 21:27
  • 9
    @ArbazAbid You may need to wait an hour or so for google to update their system...
    – CC Inc
    Commented Aug 4, 2016 at 17:02
  • 1
    Additionally, if you have many projects and you setup Windows hosts file and VirtualHosts, e.g. in WAMP it could be found here C:\wamp\bin\apache\Apache2.2.21\conf\extra\httpd-vhosts.conf, then register your project ServerName. Tested and works fine.
    – Jeffz
    Commented Nov 25, 2016 at 13:35
  • @Jeffz The hosts file is not Windows specific - this is good general advice.
    – Nathan Hornby
    Commented Mar 1, 2017 at 15:33
94

It's so easy:

  1. Go to your google reCAPTCHA adminstration panel
  2. Add localhost & 127.0.0.1 to the domains of a new site, like the following image.

Enter image description here

Update:

If your question is how to set reCAPTCHA on the Google site for using it in localhost, then it has be as I wrote it above, but if you are curious how you can use reCAPTCHA on both localhost and a website host by minimal code in your controller and prevent some codes like ConfigurationManager.AppSettings["ReCaptcha:SiteKey"] in it, then I help you with this extra description and code in my answer.

Do you like the following GET and POST actions?

The code below supports reCAPTCHA and doesn't need any other code for handling reCAPTCHA.

[HttpGet]
[Recaptcha]
public ActionResult Register()
{
    // Your code in the GET action
}

[HttpPost]
[Recaptcha]
[ValidateAntiForgeryToken]
public ActionResult Register(RegisterViewModel model, string reCaptcha_SecretKey){
   // Your code in the POST action
   if (!ModelState.IsValid || !ReCaptcha.Validate(reCaptcha_SecretKey))
   {
       // Your code
   }
   // Your code
}

In View: (reference)

@ReCaptcha.GetHtml(@ViewBag.publicKey)

@if (ViewBag.RecaptchaLastErrors != null)
{
    <div>Oops! Invalid reCAPTCHA =(</div>
}

To use it

A) Add the following ActionFilter to your Web project:

public class RecaptchaAttribute : FilterAttribute, IActionFilter
{
    public void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var setting_Key = filterContext.HttpContext.Request.IsLocal ? "ReCaptcha_Local" : "ReCaptcha";
        filterContext.ActionParameters["ReCaptcha_SecretKey"] = ConfigurationManager.AppSettings[$"{setting_Key}:SecretKey"];
    }

    public void OnActionExecuted(ActionExecutedContext filterContext)
    {
        var setting_Key = filterContext.HttpContext.Request.IsLocal ? "ReCaptcha_Local" : "ReCaptcha";
        filterContext.Controller.ViewBag.Recaptcha = ReCaptcha.GetHtml(publicKey: ConfigurationManager.AppSettings[$"{setting_Key}:SiteKey"]);
        filterContext.Controller.ViewBag.publicKey = ConfigurationManager.AppSettings[$"{setting_Key}:SiteKey"];
    }
}

B) Add the reCAPTCHA settings keys for both localhost and website like this in your webconfig file:

<appSettings>

    <!-- RECAPTCHA SETTING KEYS FOR LOCALHOST -->
    <add key="ReCaptcha_Local:SiteKey" value="[Localhost SiteKey]" />
    <add key="ReCaptcha_Local:SecretKey" value="[Localhost SecretKey]" />
    <!-- RECAPTCHA SETTING KEYS FOR WEBSITE -->
    <!--<add key="ReCaptcha:SiteKey" value="[Webite SiteKey]" />
    <add key="ReCaptcha:SecretKey" value="[Webite SecretKey]" />-->

    <!-- OTHER SETTING KEYS OF YOUR PROJECT -->

</appSettings>

Note: By this way you did not need set the reCaptcha_SecretKey parameter in the post action or any ViewBag for reCaptcha manually in your Actions and Views. All of them will be filled in automatically at runtime with appropriate values depending on if you have run the project on the localhost or website.

1
  • 1
    You deserve a cookie! We have been struggling with this localhost is not supported error and finally the easiest way was to add both localhost & 127.0.0.1. Props to you.
    – Megajin
    Commented Jan 20, 2023 at 13:04
29

When you add domains in Google reCAPTCHA:

Add new domain:

Localhost, not localhost

"L" is a capital letter.

5
  • 3
    Letter case does not matter. I have just tested. It is the same to add Localhost or localhost. At least, in reCaptcha v3.
    – jstuardo
    Commented Aug 14, 2020 at 13:39
  • 1
    Tested this with Recaptcha v2. Localhost and localhost both will not save.
    – Ryan B
    Commented Jan 16, 2021 at 19:58
  • Does the uppercase "L" in "Localhost" really matter? Are you sure about that?
    – Peter Mortensen
    Commented Jul 20, 2021 at 20:45
  • Capital L on v3 was required for me :/
    – cman77
    Commented Jan 21, 2022 at 23:40
  • 1
    Confirmed, capital L makes a difference.
    – Lukas
    Commented Apr 4, 2023 at 20:08
23

As of January 2nd, 2021, Google posted these two keys for testing in this article.

I'd like to run automated tests with reCAPTCHA. What should I do? For reCAPTCHA v3, create a separate key for testing environments. Scores may not be accurate as reCAPTCHA v3 relies on seeing real traffic.

For reCAPTCHA v2, use the following test keys. You will always get No CAPTCHA and all verification requests will pass.

Site key: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
Secret key: 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe

The reCAPTCHA widget will show a warning message to ensure it's not used for production traffic.

The generated emails went into spam the first time I used the keys.

1
  • These keys are in their documentation, but since they only apply to reCAPTCHA v2, they're not too valid anymore. I can' t imagine if you're developing today its not easier to just switch to v3 than it is to troubleshoot v2.
    – Jamie Marshall
    Commented Mar 19, 2021 at 3:07
11

Remove the current reCAPTCHA key, register the new key, and set your key settings with these domains:

127.0.0.1
localhost
11

Latest update 2022 Localhost domains are not supported by default. If you wish to continue supporting them for development, you can add them to the list of supported domains for your site key.

https://developers.google.com/recaptcha/docs/faq#im-getting-an-error-localhost-is-not-in-the-list-of-supported-domains.-what-should-i-do

I added "localhost" and it is working perfectly fine. Google Repatcha Localhost

OR

For reCAPTCHA v2, use the following test keys. You will always get No CAPTCHA and all verification requests will pass.

Site key: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
Secret key: 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe

Reference

1
  • 1
    Wow, after few hours ... this works. How is that this keys works, please?
    – mimros
    Commented Jul 13, 2023 at 15:27
8

Google has recently stopped allowing localhost being allowed by default (as touched upon by @Artur Cesar De Melo). This is under their FAQ:

I'm getting an error "Localhost is not in the list of supported domains". This was working before, what should I do?

localhost domains are no longer supported by default. If you wish to continue supporting them for development you can add them to the list of supported domains for your site key. Go to the admin console to update your list of supported domains. We advise to use a separate key for development and production and to not allow localhost on your production site key.

1: Create a separate key for your development environment

2: Add 127.0.0.1 to the list of allowed domains

3: Save changes and allow up to 30 minutess for changes to take affect

7

To your domains list of Google reCAPTCHA websites (https://www.google.com/recaptcha/admin/site/{siteid}/settings), add LOCALHOST.

If the above doesn't work, try adding 127.0.0.1 too.

1
  • 5
    Why in uppercase ("LOCALHOST")?
    – Peter Mortensen
    Commented Jul 20, 2021 at 20:58
6

reCAPTCHA will not work on localhost/.

Use 127.0.0.1/ instead of localhost/.

3
  • 1
    How is this answer different from the accepted one?
    – smottt
    Commented Sep 22, 2017 at 11:58
  • 1
    It is simpler version of accepted one. Both answers are incorrect in accepted one. For 1) You don't need to add localhost to the accepted list of domains. For 2) It doesn't work with localhost.
    – alianjum0
    Commented Sep 24, 2017 at 6:47
  • 1
    May 2021: Do not add any character after the name or address, google will throw error The following domain is invalid: 127.0.0.1/. A valid domain requires a host and must not include any protocol, path, port, query or fragment.
    – Dexter
    Commented May 24, 2021 at 11:25
6

  1. Register your website at https://www.google.com/recaptcha/admin

  2. Add the JavaScript plugin

  3. Add the class and your site key provided by Google

    Enter image description here

5

As per Google's reCAPTCHA documentation

localhost domains are no longer supported by default. If you wish to continue supporting them for development you can add them to the list of supported domains for your site key. Go to the admin console to update your list of supported domains. We advise to use a separate key for development and production and to not allow localhost on your production site key

3

localhost works now. However, remember that after adding localhost to list of domain names, it takes up to 30 minutes to take effect (according to the help tip shown against the domain names list).

1

If you have an old key, you should recreate your API key. Also be aware of proxies.

2
  • 1
    What is the issue with proxies? The proxy needs to allow communication back from the Google API?
    – smoore4
    Commented Oct 3, 2016 at 7:31
  • 1
    @SQLDBA Either it's not configured well or new location(IP) is from sanction countries, it can cause some problems.
    – Soheil Novinfard
    Commented Oct 3, 2016 at 8:52
1

You can write "localhost" or "127.0.0.1", but the URL must be the same.

Example: Google Domains Add -> localhost URL => localhost/login.php

Example: Google Domains Add -> 127.0.0.1 URL => 127.0.0.1/login.php

1

I was recently working on creating a website involving reCAPTCHA v2 and I had a need to do test automation on my localhost. I did not add any IP address or localhost into the reCAPTCHA administration portal.

Follow the below steps

  1. Log in to the reCAPTCHA administration site. Screenshot

  2. Locate Key Settings

  3. Click on advanced settings

  4. Under Domain Name Validation, uncheck Verify the origin of reCAPTCHA solutions checkbox. This option is used to verifying requests coming from one of the above listed domains.

    Please note that, if disabled, you are required to check the hostname on your server when verifying a solution.

I created a new key, disabled this, and used this key for testing in localhost.

This is a sample page which implements reCAPTCHA for comments.

1

As of today in 2021, the Google reCAPTCHA Enterprise version console includes a validation check that does not allow addition of localhost to the list of allowed domains. To get around this (obviously only for development/testing purposes) doing the following works for me:

  1. Create an entry in your hosts file that resolves your domain to your localhost

    127.0.0.1    whatever-your-domain-will-be.com

  2. Test your application not by navigating to localhost, but rather by navigating to your domain.

My local server/app would normally run at http://localhost:4000, so navigating to http://whatever-your-domain-will-be.com:4000 did the trick.

Once deployed or testing is complete it's easy enough to remove the hosts file entry and there is no lingering trash in the reCAPTCHA allowed domains list.

1
  • And if the website is already up on that domain and you don't want to change your hosts file all the time, just use a subdomain, e.g. 127.0.0.1 local.whatever-your-domain-will-be.com.com.
    – T3rm1
    Commented Feb 24, 2023 at 15:33
0

This may be helping all the users having problems with reCAPTCHA on localhost. Google indeed says "By default, all keys work on 'localhost' (or '127.0.0.1')", but for real using reCAPTCHA on localhost may cause problems. In my case, I solved it using secure tokens.

I posted a working solution for PHP here.

0

For testing purposes, if you want to test your web page which includes reCAPTCHA on localhost, then add localhost in the domain list by the Admin Console 2: https://www.google.com/recaptcha/admin. *It is advised to create a separate site key for localhost.

Admin Console Screenshot

CAPTCHA Output

0

The way that worked for me, was to use my external IP address.

If you don't know what it is, just google "What's my IP"

Then use your IP address and set this in your domains for the captcha and it should start working OK.

0

If you are using Laravel then you should restart your server and run the following two commands:

php artisan config:clear

php artisan cache:clear
0

I am going to deactivate Recaptcha before migration. Unfortunately, I think I have to go through a whole new migration just to get around the Recaptcha.

1
  • As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented Nov 20, 2023 at 22:59
-1

For me, it worked deleting my actual configuration and creating a new one, adding domains like this:

enter image description here

3
  • 1
    This is dangerous. You shouldn't whitelist local addresses and public addresses. If I go to your site, I can get around you're recaptcha easily since, my computer (and any computer) can be 127.0.0.1. If you're wondering who would do that, I work in media and I can tell you for sure many, many malicious bots on the web do this.
    – Jamie Marshall
    Commented Mar 19, 2021 at 3:13
  • Sure, but I am doing this only for dev purposes. On prod, obviously this is going to be changed. Thanks for the advice! :)
    – Carlos Cruz
    Commented Mar 23, 2021 at 4:18
  • 2
    Yes but you list a public ip in your screen grab. Seriously, this is an exploit. If you're hosting an integration or test stie somewhere, use a new recaptcha key for that. For your local box, only use only localhost and 127.0.0.1. Its not the most serious exploit when we're talking recaptcha, but it hints at less than careful security practice. Just one guys opinion.
    – Jamie Marshall
    Commented Mar 23, 2021 at 15:12
-1

I got an error related to reCAPTCHA on a Laravel website. I resolved it by using some commands and with an env file and previous answers will also help in this problem.

First of all, check the env file (in your case, the file which has the Google reCAPTCHA key) for the Google reCAPTCHA key.

Second, run these commands:

  1. php artisan config:clear
  2. php artisan cache:clear
  3. composer dump-autoload
  4. php artisan view:clear
  5. php artisan route:clear

It will solve your problem.

1
  • 1
    This is not about issue with reCaptcha, caching issues, this is about using it under development environment (localhost domains).
    – ROOT
    Commented Jan 24, 2020 at 9:37
-6

Quick answer

Do get requests on Recaptcha in your backend rather than frontend

Not the answer you're looking for? Browse other questions tagged or ask your own question.