Loading
Agentforce Contact Center
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Prevent Spam Cases with reCAPTCHA

            You are here:

            1. Salesforce Help
            2. Docs
            3. Agentforce Contact Center

            Prevent Spam Cases with reCAPTCHA

            We recommend adding reCAPTCHA v2 to your Web-to-Case web form to prevent spambots from wasting service reps’ time and muddying your case data. The reCAPTCHA widget requires customers to select an “I’m not a robot” checkbox before they can create a case.

            Required Editions

            View supported editions.
            Note
            Note Google reCAPTCHA is a resource leveraged by Salesforce to support its users and partners, and is not considered part of our Services for purposes of the Salesforce Main Services Agreement.

            How do I add reCAPTCHA to my Web-to-Case form?

            Sign up for reCAPTCHA, enable it in your Web-to-Case settings, and include it in the HTML code that you generate to create your web form.

            1. Sign up on the Google reCAPTCHA website. Web-to-Case only supports reCAPTCHA v2.
              1. Confirm that reCAPTCHA is supported in your geographic area.
              2. Click Get reCAPTCHA to register your domain and receive a public and private key pair.
            2. Turn on reCAPTCHA in your Web-to-Case settings.
              1. From Setup, enter Web-to-Case in the Quick Find box, then select Web-to-Case.
              2. Select Require reCAPTCHA Verification and save your changes. When you enable this setting, all cases without reCAPTCHA verification are rejected. No cases are created unless they include the reCAPTCHA verification.
              3. Generate and test the Web-to-Case HTML code for your website, making sure that the fields related to reCAPTCHA are completed. If your HTML code doesn’t include the reCAPTCHA code, customers won’t be able to submit cases. For steps, see Generate and Test Your Web-to-Case Form.

            Can I add reCAPTCHA to a Web-to-Case web form that’s already live?

            Yes. Follow the steps above. You must regenerate the HTML code to include the reCAPTCHA verification code, and update the code on your website.

            Note
            Note In orgs created before Winter ’19, you must select Require reCAPTCHA Verification and then regenerate your HTML code and update your website. In orgs created after Winter ’19, Require reCAPTCHA Verification is selected by default.

            How else can I avoid spam cases?

            reCAPTCHA is your first line of defense against spammers using your Web-to-Case web form. Configure your reCAPTCHA preferences in your Web-to-Case settings, and then make sure that the web form code on your website includes the reCAPTCHA verification.

            These approaches can be used as a complement or alternative to reCAPTCHA.

            • Download spam filter apps from AppExchange.
            • To obtain the source IP of requests, create a dynamic web form that uses the PHP programming language and JavaScript. For example, try one of the following.
              • Use JavaScript to dynamically create a custom tag that’s hidden on the form to store the IP address.
              • Use PHP to generate a random key that’s hosted from your website and then include this key in requests. You can use the key to validate requests and reject those that don’t include the key.
            • Use a workflow rule to detect cases from specific sources, and reassign those cases to a specific queue. This approach keeps the cases away from your support team. You can also use the queue to periodically review and delete the cases. If you use this approach, consider adjusting one of your case assignment rules to prevent sending a case creation email to the sender of the spam.
            • Create a flow to perform additional validation on cases that are created using Web-to-Case or Web-to-Lead. For example, for cases created that don’t relate to an account or contact, you can automatically close the case with a status of Deflected. Then you can send an email back to the sender stating the sender wasn’t authorized to submit a case. In addition, you can implement code that extracts their domain to help you notify the sender’s admin that an unauthorized user contacted your support team.
            • Use an Apex class or trigger to delete spam requests before cases are created. Apex triggers are great for creating comprehensive and complex flows.

            How does Salesforce validate reCAPTCHA?

            Salesforce uses Google’s API to validate the reCAPTCHA API key pair you enter in Setup. We make sure that the key pair is valid and that it hasn’t expired. If we can’t validate the key pair, incoming requests fail. Web-to-Case doesn’t have object validation rules.

            Salesforce also adds a CSP header that helps detect the source IP address of the request. We don’t notify you by email about spam attacks, but we log these failures. For more information, contact Salesforce Customer Support.

            How does Web-to-Case isolate harmful data?

            All data from Web-to-Case requests is saved to Salesforce cases using safeHTML. If a request fails reCAPTCHA verification, no case is created. If someone tries to insert harmful data or a script into your form, the data is saved as plain text. For example, if someone submits SOQL or JavaScript using your form, the code is saved as plain text and the harmful code is not executed. The results are encoded properly following security best practices.

            See Also

             
            Loading
            Salesforce Help | Article