I'm reaching out because the Google Pay API team sent me your way. My current task involves setting up reCAPTCHA to prevent card testing attacks for merchants.
I'm not sure if this is actually a recaptcha-enterprise related question, or if I was just forwarded to that tag because my account had set up a test merchant in the past.
Here's what's in place:
Developed an API and a deployable solution that's presented as a WordPress plugin, serving as a WooCommerce payment gateway. Users can input card details through iframes in the payment gateway, which then tokenize the card before it's entered in the form. Additionally, we offer Google Pay as an alternative, which also involves tokenization of cards before form submission.
The current challenge: The situation I'm grappling with is this: Our deployable solution, particularly the WordPress plugin, complicates the matter. To adhere to the standard reCAPTCHA integration(Having to pre-select a domain to whitelist for reCAPTCHA to use an API key), we'd have to continually add numerous domain addresses at different times throughout the day. While we can handle both frontend (our domain: *.solutionbackenddomainhere.com) and server-to-server interactions, accommodating reCAPTCHA's specific domain requirement poses uncertainty.
Seeking a solution: I'm confident that there's a secure workaround, even if it entails a considerable effort on our part to implement.
Important to note: When we deal with authenticated API calls (which is when reCAPTCHA is necessary), they're consistently tied to integrations. This means we have information about the originating domain, even from our backend.
I'd greatly appreciate any insights or suggestions you can provide to shed light on this matter!
I looked at the documented reCAPTCHA requirements and also have been working on this integration+API for the last 3 years.
I do not want to wildcard the API key to be stolen and used by just any domain, and I cannot find how I can add the domains programmatically.
Yes you should use reCAPTCHA Enterprise for this. For the below details I'll refer to the gRPC client library documentation, but there are REST analogs if that's how you are interacting with the reCAPTCHA Enterprise API.
Programatically setting the domain(s): The RecaptchaEnterpriseService has CreateKey and UpdateKey (among other Key management methods). You can allowlist the domains for a given reCAPTCHA key using the key.web_settings.allowed_domains.
To specifically prevent carding attacks and fraud attempts I would suggest reading https://cloud.google.com/recaptcha-enterprise/docs/fraud-prevention