Overview
If you are using Google reCAPTCHA with your application behind HackGATE, you must explicitly add your HackGATE proxy domain to the list of allowed domains in the reCAPTCHA configuration. Without that, the captcha widget will not work when accessed through HackGATE.
This article explains the cause, how to detect it, and how to fix it.
Why reCAPTCHA fails when using HackGATE
- Google reCAPTCHA keys (site key + secret key) are linked to a set of authorized domains. Only those domains (and their subdomains) are authorized to render and validate the captcha.
- If your application is served through a HackGATE domain (e.g. yourtenant.hackgate.net) and this domain is not in the authorized list, reCAPTCHA will block loading or validation.
- Therefore, even though your original site domain may work fine, behind HackGATE — it will fail.
Common symptoms
- CAPTCHA widget does not appear at all.
- An error message in the browser console or in UI such as: “Invalid domain for site key”, “Host is not allowed”, or similar.
- Form submission fails or returns “Captcha verification failed.”
- Works when accessed via original domain — but fails via the hackgate-hosted domain.
How to check if your domain is authorized
- Go to the reCAPTCHA Admin Console on Google.
- Select the site key used by your application.
- Under Domains, review the list of allowed domains.
- If your HackGATE domain(s) (e.g. yourtenant.hackgate.net, *.hackgate.net) are missing — then reCAPTCHA will not work behind HackGATE.
How to properly configure reCAPTCHA for HackGATE domains (Fix)
1 Open reCAPTCHA Admin Console → choose your site key.
2 In the Domains section, click Add domain.
3 Add your HackGATE domain(s) — e.g. yourtenant.hackgate.net, *.hackgate.net. Do not include protocol (https://) or path/port/query. Only the hostname is valid.
4 Save / Submit changes; wait a few minutes (changes may take some minutes to propagate).
5 Clear browser cache or open in private window, then re-load your application via HackGATE. The CAPTCHA widget should now load and validation should succeed.
Important notes & recommendations
- Use separate reCAPTCHA keys (site + secret) for different environments (production, staging, development) — especially if you use multiple domains. This avoids polluting reCAPTCHA analytics across environments.
- Do not disable domain verification / ignore the domain list unless you fully control the environments and handle hostname checks server-side — this weakens security.
Official References
- Google reCAPTCHA “Creating keys for websites” guide (how to add domains, get site keys).
- reCAPTCHA settings page (domains, origin verification, configuration).
Summary & Why This Matters for HackGATE Users
Because HackGATE serves your application through a proxy domain (e.g. *.hackgate.net), you must treat that domain as a “real” production domain when configuring CAPTCHA — whether using Cloudflare Turnstile or Google reCAPTCHA.
Failing to explicitly add the proxy domain to your CAPTCHA provider’s configuration will result in broken or missing CAPTCHA on forms protected by HackGATE — even though everything works fine under your original domain.
Disclaimer & What CAPTCHA Configuration Does Not Do
- Adding the HackGATE domain to CAPTCHA config does not disable CAPTCHA. It merely permits the challenge to be rendered and validated under that hostname.
- CAPTCHA remains active and effective; you are not reducing security by whitelisting the domain.
- Always keep secret keys private (server side), and verify tokens server-side. This applies equally for Turnstile and reCAPTCHA.
