Xaptcha Class
categoryAPI
edit_calendar31 Mar 2026
Bot Protection (reCAPTCHA) Class
The Xaptcha class is a specialized security wrapper for Google reCAPTCHA v2. It provides GeniXCMS with a streamlined, high-level interface for implementing bot protection across sensitive forms — including comments, registrations, and administrative logins — ensuring your site remains secure from automated spam and brute-force attacks.
⚡ Global Configuration
CAPTCHA policies are managed centrally via the Settings > General dashboard.
| Parameter | Identifier | Description |
|---|---|---|
Enable |
google_captcha_enable |
Global toggle (on/off) for the entire system. |
Site Key |
google_captcha_sitekey |
Your public public-facing key from Google Console. |
Secret Key |
google_captcha_secret |
Your private server-side verification key. |
Language |
google_captcha_lang |
The ISO language code for the widget (e.g., en, id). |
🏗️ Technical Methods
Xaptcha::html()
Generates and injects the complete reCAPTCHA widget logic.
- Process: Automatically includes the Google JavaScript library from the global CDN and renders the
<div class="g-recaptcha">container with your configured Site Key. - Safety: Returns an empty string if CAPTCHA is disabled, allowing for transparent theme integration.
Xaptcha::verify(string $response)
Performs a secure server-to-server handshake with Google's API to validate the submission.
// Typically executed within a form controller
$token = $_POST['g-recaptcha-response'];
if (Xaptcha::verify($token)) {
// Human visitor verified
}📝 Implementation Pattern
Use the following pattern to secure your module's forms:
Frontend (Latte / PHP Template)
{* In your theme's register.tpl *}
<div class="form-group mb-3">
{if Xaptcha::isEnable()}
{Xaptcha::html()|noescape}
{/if}
</div>Backend (PHP Controller)
if (Xaptcha::isEnable()) {
$captcha = $_POST['g-recaptcha-response'] ?? '';
if (!Xaptcha::verify($captcha)) {
System::alert(['alertDanger' => [_('Bot detected! Please complete the CAPTCHA.')]]);
return;
}
}warning
CautionAPI Key Mismatch: If you see "Error: Invalid site key" in the widget, ensure that the domain name in your Google Cloud Console exactly matches your
Site::$url.priority_high
ImportantPrivacy Compliance: Google reCAPTCHA tracks user behavior to distinguish humans from bots. Ensure your site's Privacy Policy includes a notice regarding the use of this service to remain compliant with GDPR and other regulations.
See Also
- Token Class — How CSRF protection works alongside CAPTCHA.
- Security Settings — Managing site-wide protection layers.
- General Settings Guide — Configuring your Google API keys.