recaptcha-and-bot-prevention

Use when configuring reCAPTCHA on Web-to-Case, Web-to-Lead, Experience Cloud forms, or Headless Identity flows, or when designing bot-mitigation strategies for Salesforce public-facing surfaces. Triggers: 'enable reCAPTCHA on Web-to-Case', 'bot spam submissions on my Experience Site', 'Headless Identity reCAPTCHA v3 setup'. NOT for AppExchange security review (use secure-coding-review-checklist), NOT for session-level login security policies (use session-management-and-timeout), NOT for IP-range-based access controls (use network-security-and-trusted-ips).

Best use case

recaptcha-and-bot-prevention is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when configuring reCAPTCHA on Web-to-Case, Web-to-Lead, Experience Cloud forms, or Headless Identity flows, or when designing bot-mitigation strategies for Salesforce public-facing surfaces. Triggers: 'enable reCAPTCHA on Web-to-Case', 'bot spam submissions on my Experience Site', 'Headless Identity reCAPTCHA v3 setup'. NOT for AppExchange security review (use secure-coding-review-checklist), NOT for session-level login security policies (use session-management-and-timeout), NOT for IP-range-based access controls (use network-security-and-trusted-ips).

Teams using recaptcha-and-bot-prevention should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/recaptcha-and-bot-prevention/SKILL.md --create-dirs "https://raw.githubusercontent.com/PranavNagrecha/AwesomeSalesforceSkills/main/skills/security/recaptcha-and-bot-prevention/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/recaptcha-and-bot-prevention/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How recaptcha-and-bot-prevention Compares

Feature / Agentrecaptcha-and-bot-preventionStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when configuring reCAPTCHA on Web-to-Case, Web-to-Lead, Experience Cloud forms, or Headless Identity flows, or when designing bot-mitigation strategies for Salesforce public-facing surfaces. Triggers: 'enable reCAPTCHA on Web-to-Case', 'bot spam submissions on my Experience Site', 'Headless Identity reCAPTCHA v3 setup'. NOT for AppExchange security review (use secure-coding-review-checklist), NOT for session-level login security policies (use session-management-and-timeout), NOT for IP-range-based access controls (use network-security-and-trusted-ips).

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# reCAPTCHA and Bot Prevention

Use this skill when adding bot protection to any Salesforce public-facing surface: Web-to-Case, Web-to-Lead, Experience Cloud custom forms, or Headless Identity registration/login flows. It covers the built-in reCAPTCHA toggle for standard web forms, the custom LWC integration pattern for Experience Cloud, and the reCAPTCHA v3 requirement for Headless Identity APIs.

---

## Before Starting

Gather this context before working on anything in this domain:

- Identify which public-facing surfaces exist in the org: standard Web-to-Case/Lead HTML forms, Experience Cloud site pages with custom forms, or Headless Identity endpoints. Each has a different integration path.
- Confirm whether the org already has a Google reCAPTCHA project. You need a site key (client-side) and a secret key (server-side verification) from the Google reCAPTCHA Admin Console. Different surfaces may require different reCAPTCHA versions.
- Understand the spam volume and type. Automated bots submitting hundreds of cases per hour require reCAPTCHA. Sophisticated human-driven spam farms may need additional signals beyond CAPTCHA alone (e.g., honeypot fields, rate limiting, email domain validation).

---

## Core Concepts

### Mode 1: Built-In reCAPTCHA for Web-to-Case and Web-to-Lead

Salesforce provides a native reCAPTCHA v2 checkbox toggle for Web-to-Case and Web-to-Lead HTML generators. When enabled in Setup, the generated HTML snippet includes the reCAPTCHA widget and the verification is handled entirely by Salesforce on form submission. No custom Apex is required. This is the simplest integration path but only works for the standard HTML forms generated by Salesforce, not for custom-built forms or LWC components.

To enable: Setup > Web-to-Case (or Web-to-Lead) > check "Require reCAPTCHA Verification" > regenerate the HTML snippet and deploy it to your external site.

### Mode 2: Custom LWC reCAPTCHA for Experience Cloud

Experience Cloud sites with custom Lightning Web Component forms do not get the built-in reCAPTCHA toggle. You must integrate Google reCAPTCHA manually by: (1) loading the reCAPTCHA JavaScript library via a static resource or the Google CDN (requires CSP Trusted Site configuration), (2) rendering the widget or invoking the reCAPTCHA v3 execute call in the LWC, and (3) sending the token to an Apex controller that calls the Google verification endpoint server-side. The Apex callout to `https://www.google.com/recaptcha/api/siteverify` must use a Named Credential or Remote Site Setting.

### Mode 3: Headless Identity reCAPTCHA v3

Salesforce Headless Identity APIs (passwordless registration, login, and authorization) require reCAPTCHA v3 when the Headless Identity feature is enabled. This is configured in Setup > Identity > Headless Identity Settings. You provide your Google reCAPTCHA v3 site key and secret key. Salesforce enforces token verification on every Headless Identity API call. A minimum score threshold (default 0.5) determines whether the request is treated as human. reCAPTCHA v2 is not supported for Headless Identity.

---

## Common Patterns

### Pattern: Built-In Toggle for Standard Web Forms

**When to use:** The org uses only the standard Salesforce-generated Web-to-Case or Web-to-Lead HTML forms hosted on an external website.

**How it works:**
1. Navigate to Setup > Web-to-Case (or Web-to-Lead).
2. Enable "Require reCAPTCHA Verification."
3. Re-generate the HTML form snippet.
4. Replace the old HTML on your external site with the new snippet.
5. Test submission with reCAPTCHA challenge from a non-cached browser.

**Why not the alternative:** Custom implementations with the Google reCAPTCHA JavaScript API add complexity with no benefit when Salesforce already handles the full verification lifecycle for standard forms.

### Pattern: Custom Apex Verification for Experience Cloud or Custom UIs

**When to use:** The form is a custom LWC on an Experience Cloud site, a custom Aura component, or any non-standard form that cannot use the built-in toggle.

**How it works:**
1. Register a reCAPTCHA site in the Google Admin Console. Choose v2 invisible or v3 depending on UX requirements.
2. Add the Google reCAPTCHA domain to CSP Trusted Sites (Setup > CSP Trusted Sites) and create a Remote Site Setting for `https://www.google.com`.
3. In the LWC, load the reCAPTCHA script and execute it to obtain a token on form submission.
4. Pass the token to an `@AuraEnabled` Apex method.
5. The Apex method makes an HTTP POST to `https://www.google.com/recaptcha/api/siteverify` with the secret key and token.
6. Parse the JSON response. For v3, check that the `score` meets your threshold (0.5+ is typical). For v2, check `success: true`.
7. Only create the record (Case, Lead, custom object) if verification passes.

### Pattern: Layered Bot Defense

**When to use:** High-value public surfaces facing sophisticated attack patterns where reCAPTCHA alone is insufficient.

**How it works:**
1. Enable reCAPTCHA as the first line of defense.
2. Add a honeypot hidden field to catch naive bots that fill every input.
3. Implement server-side rate limiting per IP or session in Apex using Platform Cache or a custom object counter.
4. Validate email domains against a denylist of disposable email providers.
5. Use Transaction Security policies to flag bulk record creation from a single source.

---

## Decision Guidance

| Situation | Recommended Approach | Reason |
|---|---|---|
| Standard Web-to-Case/Lead HTML form | Enable the built-in reCAPTCHA toggle | Zero code, maintained by Salesforce, handles full verification |
| Experience Cloud custom LWC form | Custom reCAPTCHA v2 invisible or v3 via Apex verification | No built-in option exists; LWC must load the script and verify server-side |
| Headless Identity registration/login | Configure reCAPTCHA v3 in Headless Identity Settings | Required by Salesforce; v2 is not supported for Headless Identity |
| High-volume spam despite reCAPTCHA | Layer honeypot + rate limiting + email validation | Sophisticated bots can solve reCAPTCHA; defense in depth is required |
| Internal-only forms behind authentication | Skip reCAPTCHA entirely | Authenticated users are already identity-verified; CAPTCHA adds friction with no security benefit |

---

## Recommended Workflow

Step-by-step instructions for an AI agent or practitioner working on this task:

1. **Inventory public surfaces** -- list every unauthenticated entry point in the org: Web-to-Case, Web-to-Lead, Experience Cloud guest-accessible pages, Headless Identity endpoints, and any public Apex REST services.
2. **Choose the reCAPTCHA version per surface** -- use the Decision Guidance table above. Standard web forms get the built-in toggle, Experience Cloud custom forms get v2 invisible or v3 with Apex verification, Headless Identity mandates v3.
3. **Register reCAPTCHA keys** -- create a project in the Google reCAPTCHA Admin Console. Generate separate site key / secret key pairs for each reCAPTCHA version needed. Store secrets securely using Named Credentials or Custom Metadata (never hardcode in Apex).
4. **Implement per surface** -- follow the appropriate pattern from Common Patterns above. For custom implementations, configure CSP Trusted Sites and Remote Site Settings before writing any code.
5. **Test with bot simulation** -- verify that submissions without a valid token are rejected. For v3, test with a low score threshold to confirm score-based rejection works. Test that legitimate users can submit without friction.
6. **Add layered defenses where needed** -- for high-value surfaces, add honeypot fields, rate limiting, and email validation as described in the Layered Bot Defense pattern.
7. **Monitor and tune** -- review spam volume after deployment. If reCAPTCHA v3 scores are too permissive (many bots scoring above threshold), lower the threshold or switch to v2 invisible for that surface.

---

## Review Checklist

Run through these before marking work in this area complete:

- [ ] Every unauthenticated public-facing surface has reCAPTCHA or an equivalent bot-mitigation control
- [ ] Google reCAPTCHA secret keys are stored in Named Credentials or Custom Metadata, not hardcoded in Apex
- [ ] CSP Trusted Sites include `https://www.google.com` and `https://www.gstatic.com` for custom implementations
- [ ] Remote Site Setting exists for `https://www.google.com` for server-side Apex verification callouts
- [ ] reCAPTCHA v3 score threshold is configured and tested (not left at default without validation)
- [ ] Headless Identity Settings specify reCAPTCHA v3 (not v2) if Headless Identity is in use
- [ ] Web-to-Case/Lead HTML snippets have been regenerated after enabling the reCAPTCHA toggle
- [ ] Form submissions without a valid token are rejected with a user-friendly error

---

## Salesforce-Specific Gotchas

Non-obvious platform behaviors that cause real production problems:

1. **Regenerate HTML after enabling reCAPTCHA toggle** -- enabling "Require reCAPTCHA Verification" in Web-to-Case/Lead does not retroactively add the widget to already-deployed HTML forms. You must regenerate the snippet and redeploy it. Old forms without the widget will have all submissions silently rejected.
2. **CSP blocks reCAPTCHA script loading in Experience Cloud** -- Experience Cloud sites enforce Content Security Policy headers. If you do not add `https://www.google.com` and `https://www.gstatic.com` to CSP Trusted Sites, the reCAPTCHA JavaScript will fail to load with no visible error to the user, just a broken or absent widget.
3. **Headless Identity rejects v2 tokens** -- if you register a reCAPTCHA v2 key and configure it in Headless Identity Settings, API calls will fail with a generic error. The documentation states v3 is required, but the error message does not specify the version mismatch.
4. **reCAPTCHA tokens expire in 2 minutes** -- a token generated by the client-side reCAPTCHA widget is valid for 120 seconds. If your form has a long completion time or the Apex callout is queued behind other processing, the verification call to Google will return `timeout-or-duplicate`. Regenerate the token immediately before submission, not on page load.

---

## Output Artifacts

| Artifact | Description |
|---|---|
| Bot prevention configuration checklist | Surface-by-surface inventory of which reCAPTCHA mode is applied and which layered defenses are enabled |
| Apex verification class | Server-side reCAPTCHA token verification Apex class with Named Credential callout and score threshold handling |
| CSP and Remote Site metadata | CSP Trusted Site and Remote Site Setting entries needed for reCAPTCHA script loading and verification |

---

## Related Skills

- secure-coding-review-checklist -- use when preparing for an AppExchange security review that includes reCAPTCHA-protected surfaces
- experience-cloud-security -- use for broader Experience Cloud security hardening beyond bot prevention
- session-management-and-timeout -- use for session-level security controls that complement bot prevention at the authentication layer

Related Skills

xss-and-injection-prevention

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when writing or reviewing Visualforce pages, Apex controllers, or LWC components that output user-supplied data, build dynamic queries, or construct HTTP responses. Triggers: 'XSS in Visualforce', 'SOQL injection vulnerability', 'how to encode output in Apex', 'JSENCODE Visualforce', 'open redirect prevention'. NOT for Apex CRUD/FLS enforcement (use soql-security or apex-crud-and-fls), NOT for Shield encryption (use shield-encryption-key-management), NOT for AppExchange security review process (use secure-coding-review-checklist).

recursion-and-re-entry-prevention

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when a record-triggered Flow re-fires on the same record because its own DML (or a downstream Flow's DML) re-satisfies the entry criteria — causing CPU-limit failures, duplicated side effects, or 'Maximum Trigger Depth Exceeded' errors. Triggers: 'flow infinite loop', 'flow re-firing on same record', 'flow updates field then runs again', 'flow A and flow B keep updating each other', 'maximum trigger depth exceeded record-triggered flow', 'flow recursion limit hit'. NOT for Apex trigger recursion (use apex/recursive-trigger-prevention) or for Loop element design inside a single Flow run (use flow/flow-loop-element-patterns).

recursive-trigger-prevention

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when debugging or preventing recursive Apex trigger behavior, especially around self-DML, static guard flaws, Set<Id>-based deduplication, and legitimate re-entry scenarios. Triggers: 'trigger recursion', 'static boolean guard', 'recursive update', 'self DML', 'trigger firing multiple times'. NOT for general trigger-framework structure unless recursion is the actual design problem.

visualforce-security-and-modernization

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).

transaction-security-policies

8
from PranavNagrecha/AwesomeSalesforceSkills

Transaction Security policy creation and configuration: condition builder, enhanced policies, enforcement actions (block, MFA, notification, end session), real-time monitoring mode, and policy troubleshooting. NOT for Event Monitoring log analysis or Shield Event Monitoring setup (use event-monitoring). NOT for Apex testing or debug-log analysis.

sso-saml-troubleshooting

8
from PranavNagrecha/AwesomeSalesforceSkills

Diagnosing broken SAML SSO into Salesforce — IdP-initiated vs SP-initiated flows, signing-certificate validity / expiry, NameID format mismatches, RelayState handling, audience / entityId / issuer mismatches, clock skew, the SAML Assertion Validator in Setup, the Login History debug log, and the My Domain prerequisite for SSO. Covers the standard diagnostic loop: read the SAML response, identify which check failed, fix at the IdP or SP. NOT for OAuth / OpenID Connect SSO (see security/oauth-openid-troubleshooting), NOT for setting up SSO from scratch (see security/sso-saml-setup).

shield-kms-byok-setup

8
from PranavNagrecha/AwesomeSalesforceSkills

Configure Shield Platform Encryption with customer-supplied (BYOK) or customer-held (Cache-Only Key Service) tenant secrets, rotate them, and recover. NOT for Classic Encryption or field masking.

shield-event-log-retention-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).

session-management-and-timeout

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when configuring session timeout values, concurrent session limits, session IP locking, or logout behavior in Salesforce. Covers org-wide session settings, profile-level overrides, Connected App session policies, and Metadata API SecuritySettings deployment. NOT for OAuth token refresh flows, login IP ranges, or MFA/identity-provider configuration.

session-high-assurance-policies

8
from PranavNagrecha/AwesomeSalesforceSkills

Enforce step-up authentication for sensitive pages/objects using High Assurance session level and login flow policies. NOT for initial MFA enrollment UX.

service-account-credential-rotation

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing credential rotation for integration users, connected apps, named credentials, and OAuth client secrets in Salesforce. Covers rotation cadence, zero-downtime handover, secret storage, and detection of stale credentials. Triggers: 'rotate integration user password', 'connected app secret rotation', 'named credential rotation', 'stale service account', 'zero downtime secret rotation'. NOT for end-user password policies.

security-incident-response

8
from PranavNagrecha/AwesomeSalesforceSkills

When to use: active or suspected Salesforce org compromise, unauthorized access investigation, attacker containment, forensic evidence collection from EventLogFile/LoginHistory, session revocation, OAuth token cleanup, eradication of attacker persistence, and post-incident recovery verification. Trigger keywords: org compromised, suspicious login, attacker access, session revocation, forensic investigation, breach response, event log forensics, login anomaly investigation, incident response runbook. Does NOT cover general security setup, permission set design, field-level security configuration, or proactive security hardening — those are separate skills. NOT for general security setup.