Skip to content

Case New Page in community: Detect Replay – Spam Protection using Google captcha

It’s very easy to find out endpoint and payload that create Case when you click “Submit” (or any button that create Case) – After that a CURL request can be made and thousands of Cases can be created in a few minutes. 
There is no out of the box way in Salesforce but we can prevent and detect such attack using Google Captcha. 

Get Google Captcha Secret Key and Site Key

Here is detailed explanation to get it or you can find plenty of articles to create it.

Use Google Captcha in your Visualforce or Lightning ComponentAgain, there are a bunch of nice articles explaining how can we use google captcha in Lightning component or VF page
Lightning Component

VF Page

Pass Captcha Response Key to Server Side

Once you click on captcha box, it generates response key that we need to pass to backend in additional parameter or in a Case field. 

Verify captcha response at server side 

In apex method, first get value of response code and verify by making a callout to Google server to verify it as below:

In below method, response code is generated when end user click complete the captcha and googleSecretKey is Secret Key when configure goole captcha. Please do not share that Secret Key with anyone else and keep it in custom setting or metadata type.

// Let's assume response code is: 03AOLTBLRnKHrVYiLrqSaVcEzdjSCFrmy9bZYqjUsSJdtz3AoI-fA_eeQS_6uMxRTjHyuteoxhoH_xNgRsU67zpKCZ2hfKFmiLcEpgPgNDJo4Qy4vj7Nct1CYzFYyOQ2BsSq2a3ofHCrfXpwD0K31ETHSOUfGXsp6Iqf0v7vK_QU7KkMLauCdWOGNzx3cg9oSViHDyCp2Ivnb66JqApDEKuEUS-Gkl8Jcc1rl0sBWZDj0dKSq2e2OewILZvooN0UF-5g7Mihpj3J9EwJuEARINDgaVDwea8bMuyPtGTFtb_nwuGOkC0S5qy9LqqVTJHQNveyFKEzl_iHCshnep-0CS2a77uWcL-kGgWCMig9zdKuap8nU3mGUQWmzcEp4IRo8p9Uz-OLpEPEH9mEruRpMmRSfPVQz2VF90OCoTS_74WRgRFKSr028q2Dof3N7v2-wNoSNeXVw_S4jer6VRwoxxX-OkjwpfeZSV8ZCTGPDQV3Tp7wBxP5yWt85qFx-WSPj_Y99cIIPSA9mxMN_mR9r6C3WpwEdXZSx-qjgfr25FGRgNM0yfRNj-m_I

public static HttpResponse verifyCaptchaResponse(String responseCode, String googleSecretKey)  {
        HttpRequest req = new HttpRequest();  
        String JsonBody = 'secret='+googleSecretKey+'&response='+responseCode;
        HttpResponse response =new HttpResponse();
       // req.setHeader('Content-Type','application/json');
        req.setBody (JsonBody);
        try {
            Http http = new Http();
            response = http.send(req);
            System.debug('response: '+ response);
            System.debug('body: '+ response.getBody());
            //String res = response.getBody();
            //System.debug('res is---'+res);
        } catch( System.Exception e) {
            System.debug('ERROR: '+ e);
        return response;

Parse JSON response to find out “success” attribute value, if it’s true then allow case creation otherwise return an error message.