hcaptcha.com

HTML metadata

Title: hCaptcha - Stop bots and human abuse.
Description: Enterprise grade AI security platform with a privacy focus. Replace reCAPTCHA v2, v3, or Enterprise with next generation tech at better value. Used by millions.
Language: en
Canonical: https://www.hcaptcha.com

Open Graph

title: hCaptcha - Stop bots and human abuse.
description: Enterprise grade AI security platform with a privacy focus. Replace reCAPTCHA v2, v3, or Enterprise with next generation tech at better value. Used by millions.

Technology

CDN: Cloudflare
CMS: Gatsby

Fonts

Google Fonts

Third-party hosts loaded (4)

ajax.googleapis.com×1
cdn.prod.website-files.com×1
fonts.googleapis.com×1
fonts.gstatic.com×1

Contact

Email

sales+vpat@hcaptcha.com

Registration

Registrar

NameCheap, Inc.

Created

2018-01-12

Expires

2030-01-12 1334 days left

Updated

2024-12-11

Name servers

eva.ns.cloudflare.com
josh.ns.cloudflare.com

DNS records live

NS

eva.ns.cloudflare.com
josh.ns.cloudflare.com

MX

1 aspmx.l.google.com
20 alt1.aspmx.l.google.com
30 alt2.aspmx.l.google.com

TXT

Show 4 TXT records

google-site-verification=Cev7in0fV_4hdmI3VTQTFDqtNk0CHBA9f6AYLcyU6hg
google-site-verification=XOSSBjkRXwXRYPlo-DXg0O6xOAPR2L-RiBl1ox59EV4
google-site-verification=yPIR83D9uByVOCV5kiW9fwKB0SpLYGUpmzDqzECvkNo
detectify-verification=219c4145c8dd82f1a855d0ded4970de6

Email authentication strong

SPF

v=spf1 include:mailgun.org include:amazonses.com include:us-west-2.amazonses.com include:mail.zendesk.com include:20974113.spf07.hubspotemail.net ~all

softfail (~all)

DMARC

v=DMARC1; p=reject; rua=mailto:e9f808c761ae640@rep.dmarcanalyzer.com; ruf=mailto:e9f808c761ae640@for.dmarcanalyzer.com; fo=1;

policy: reject (enforced)

DKIM

smtpapi: k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPtW5iwpXVPiH5FzJ7Nrl8USzuY9zqqzjE0D1r04xDN6qwziDnmgcFNNfMewVKN2D1O+2J9N14hRprzByFwfQW76…

selectors probed

Certificate (current)

WE1

from 2026-04-16 to 2026-07-15

Expires in 57 days

Full certificate history on crt.sh ↗

HTTP security headers

Header hygiene 85/100 Checked live page: https://www.hcaptcha.com/

present

strict-transport-security
content-security-policy
x-frame-options
x-content-type-options
referrer-policy
cross-origin-opener-policy
cross-origin-embedder-policy
cross-origin-resource-policy

findings

CSP allows unsafe inline scripts/styles
CSP uses wildcard sources
missing Permissions Policy

Header values

referrer-policy: unsafe-url
x-frame-options: DENY
x-content-type-options: nosniff
content-security-policy: default-src 'self'; script-src 'self' analytics.hcaptcha.com a.hcaptcha.com js.hcaptcha.com newassets.hcaptcha.com hcaptcha.com u.hcaptcha.com static.cloudflareinsights.com intuitionmachines.widget.insent.ai embed.typeform.com *.hsforms.net *.hsforms.com *.hs-scripts.com static.hsappstatic.net 'unsafe-inline'; style-src 'self' 'unsafe-inline' embed.typeform.com 'unsafe-hashes'; object-src 'self' uploads-ssl.webflow.com; base-uri 'self'; connect-src 'self' website-i18n.hcaptcha.com analytics.hcaptcha.com a.hcaptcha.com a2.hcaptcha.com accounts.hcaptcha.com newassets.hcaptcha.com assets.hcaptcha.com sentry.hcaptcha.com u.hcaptcha.com webflow.com cloudflareinsights.com *.hsforms.com *.hsforms.net *.hubapi.com; font-src 'self' embed.typeform.com data:; frame-src 'self' newassets.hcaptcha.com assets.hcaptcha.com intuitionmachines.widget.insent.ai embed.typeform.com form.typeform.com *.hsforms.net *.hsforms.com; img-src 'self' embed.typeform.com *.hsforms.net *.hsforms.com; manifest-src 'sel
strict-transport-security: max-age=31536000; includeSubDomains; preload
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: require-corp; report-to="default";
cross-origin-resource-policy: same-site

Links to (2)

workable.com×4
hcaptchastatus.com×4