Challenge 3: Deploy a reCAPTCHA Token and Challenge Page

Challenge 3: Deploy a reCAPTCHA Token and Challenge Page

Previous Challenge Next Challenge

Introduction

reCAPTCHA Enterprise for WAF and Google Cloud Armor integration offers the following operating modes: reCAPTCHA challenge page, reCAPTCHA action-tokens, and reCAPTCHA session-tokens. In this gHack, we will be implementing the reCAPTCHA session token site key and reCAPTCHA WAF challenge-page site.

Description

Create reCAPTCHA session token and WAF challenge-page site key

The reCAPTCHA JavaScript sets a reCAPTCHA session-token as a cookie on the end-user’s browser after the assessment. The end-user’s browser attaches the cookie and refreshes the cookie as long as the reCAPTCHA JavaScript remains active.

• In the Cloud Shell, use gcloud to create the reCAPTCHA session token site key and enable the WAF feature for the key.
  • You must set the WAF service to Cloud Armor to enable the Cloud Armor integration.
  • Key type is session-token
  • Use the score integration type. Other options are checkbox and invisible.
  • Use a testing score of 0.5.
    • This will validate that the bot management policies we create with Cloud Armor are working as intended. Replicating bot traffic is not easy and hence, this is a good way to test the feature.
  • Make note of the output of your gcloud command, it will output the key that you’ll need later in this gHack.
• Use gcloud to also create the reCAPTCHA WAF challenge-page site key and enable the WAF feature for the key. You can use the reCAPTCHA challenge page feature to redirect incoming requests to reCAPTCHA Enterprise to determine whether each request is potentially fraudulent or legitimate. We will later associate this key with the Cloud Armor security policy to enable the manual challenge. We will refer to this key as CHALLENGE-PAGE-KEY in the later steps.
  • You must set the WAF service to Cloud Armor to enable the Cloud Armor integration.
  • Key type is challenge-page
  • Use the invisible integration type.
  • Make note of the output of your gcloud command, it will output the key that you’ll need later in this gHack.
• Navigate to the reCAPTCHA Enterprise screen in the Google Cloud Console. Go to the KEYS tab and confirm that both of the keys you created are there.

Setup the gHacks+ Website

We’ve provided all the files for the gHacks+ streaming service’s website. Now we need to upload these files to the VM.

• In the console, locate the VM in your instance group and get its name and zone.
• Use gcloud compute scp command to copy the student-files.zip file in your Cloud Shell up to the VM
• SSH into the VM and unzip student-files.zip into the root of the apache server’s html folder.

  Tip You’ll have to do this as root

Implement reCAPTCHA session token site key

Edit index.html for the gHacks+ site and embed the reCAPTCHA session token site key.

Tip The session token site key is added to the HEAD section of the HTML page.

Validate that you are able to access all the movies available on the gHacks+ site. You’ll need to find the load balancer’s IP for this and go to index.html in a browser.

Note You will be able to verify that the reCAPTCHA implementation is working when you see “protected by reCAPTCHA” at the bottom right corner of the index page:

Success Criteria

• You’ve enabled the reCAPTCHA API
• You’ve created a Cloud Armor WAF enabled reCAPTCHA session token key with integration type score
• You’ve created a Cloud Armor WAF enabled reCAPTCHA challenge page key with integration type invisible
• The gHacks+ index page is updated to include the reCAPTCHA session token site key and 3 links and shows the “protected by reCAPTCHA” image.
• You can access each movie.

Learning Resources

• Enable the reCAPTCHA Enterprise API
• Creating reCAPTCHA keys
• reCAPTCHA: Install score-based site keys (no challenge) on websites
• reCAPTCHA: Create an assessment
• Compute Engine: Connect to Linux VMs using Google tools
• scp Man Page

Previous Challenge Next Challenge