It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda Web Application Firewall
Overview Documentation Training Certification Materials

CAPTCHA Protection Mechanisms

  • Last updated on

As one of the lines of defense against automated bots, the Barracuda Web Application Firewall can issue a challenge in the form of CAPTCHA tests. The Barracuda Web Application Firewall can be configured to issue any one of the following:

  • CAPTCHA
  • reCAPTCHAv2
  • reCAPTCHAv3
  • hCaptcha

CAPTCHA – A challenge is enforced on the client when they are tagged as suspicious. The client is forced to answer a CAPTCHA challenge before accessing the URL space. The suspicious client IP addresses will be tracked for a defined time of 900 seconds.

ReCAPTCHAv2 – A challenge enforced on the client for protecting a website from spam or any other types of automated abuse like BOTS etc. The Barracuda Web Application Firewall uses Google reCAPTCHA, which is an advancement over the classical version of CAPTCHA for protecting websites from spams. reCAPTCHA uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on a client’s site. It also allows all valid clients to pass through with ease.

The administrator should generate a unique key pair (a site key and a site secret) specific to the website at the following link: Sign up for an API key pair . The key pair consists of a site key and a secret key. The site key is used to invoke the reCAPTCHA service for the website, and the secret key authorizes communication between the client and the website. The secret key must be kept safe for security purposes.

  • Domains – Specify the domain to be challenged with selected CAPTCHA method
  • Site Key – Specify the reCAPTCHA site key for the selected domain
  • Site Secret – Specify the reCAPTCHA secret for the selected domain

reCAPTCHAv3 – An invisible CAPTCHA that returns a score for the request without interpreting with the user. This means that the user has no action to perform during validation. The invisible reCaptcha automatically analyzes and appears only when it realizes the existence of any type of automated abuses like BOTS etc. When a challenge is enforced on the client, it returns a score for the request. The score is based on interactions with your website and enables you to take an appropriate action.

hCaptcha - A challenge enforced on the client for protecting a website from spam or any other types of automated abuse like BOTS, etc. hCaptcha is an advancement over the classical version of CAPTCHA for protecting websites from spam. It uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on a client’s site. It also allows all valid clients to pass through with ease.

The administrator should generate a unique key-pair (a site key and a site secret) specific to the website at the following link: Sign up for an API key pair. The key pair consists of a site key and a secret key. The site key is used to invoke hCaptcha service for the website and the secret key authorizes communication between the client and the website. The secret key must be kept safe for security purposes.

  • Domains - Specify the domain to be challenged with the selected CAPTCHA method.
  • Site Key - Specify the hCaptcha site key for the selected domain.
  • Site Secret - Specify the hCaptcha secret for the selected domain.

The type of challenge to be presented to the incoming clients for validation is chosen on the BASIC > Services tab. When the reCAPTCHA option is selected, a few additional fields are displayed for configuration.