Captcha
If your panel is publicly reachable and you offer self-registration, you almost certainly want a captcha in front of login, registration and password reset – otherwise bots will pile up junk accounts within hours.
Supported providers
- Cloudflare Turnstile – my recommendation. Free, privacy-friendly, no click puzzle for users.
- hCaptcha – also free, slightly more intrusive UI.
- Google reCAPTCHA v2 – the classic "I'm not a robot" checkbox.
Configuration
Create a site at your provider → you'll get two values: site key (public, ships to the frontend) and secret (server-side, used to verify).
In PDNS Manager under Settings → Security → Captcha:
- Provider – Turnstile / hCaptcha / reCAPTCHA v2.
- Site key
- Secret
- Active for – multi-select: Login, Registration, Password reset (forgot + reset).
Test button
The panel has a test button that checks the config against the provider (site key valid, secret valid). Only enable after that.
How it looks in the browser
The captcha widget appears just above the login button. The user solves it (or it solves itself, depending on the provider); a token is sent with the login request. The server validates the token with the provider's secret and only accepts the login if the provider confirms it.
Example: enable Turnstile
- Sign in to Cloudflare → Turnstile → Add site.
- Enter your domain, mode "Managed".
- Copy site key + secret.
- Paste both in the panel, "Active for" = Login + Registration + Reset.
- Test button → green → save.
Privacy / GDPR
Which provider sees what depends on the provider. Rule of thumb:
- Cloudflare Turnstile sees IP + a few browser headers. No persistent tracking cookie.
- hCaptcha similar.
- Google reCAPTCHA v2 sets tracking cookies and needs an extra paragraph in your privacy policy.