Breaking Changes to CAPTCHA protection on Storefront forms

Platform

From the week commencing 28th October 2024, the following changes to CAPTCHA protection will occur:

Classic Customer Accounts: Removal of the /challenge page for Login, Create Account and Reset Password flows

If hCaptcha is enabled in Admin for these forms, they will now require a valid hCaptcha token as part of the form submission, otherwise a 400 error response will be returned.

Form submissions that fail the hCaptcha assessment will also return a 400 error response.

The vast majority of form submissions already comply with this requirement, due to hCaptcha being automatically wired up to forms with the correct markup. More information is available in the dev docs

Full deprecation of reCAPTCHA on Storefront forms

The recent migration to hCaptcha on all Storefront forms is now complete. Applications or themes that have bespoke code that submits a reCAPTCHA v3 token (site key 6LeHG2ApAAAAAO4rPaDW-qVpPKPOBfjbCpzJB9ey) will need to update to use hCaptcha. All form submissions containing a recaptcha-v3-token field will result in a 400 error response.

Again, the vast majority of form submissions already comply with this requirement. If you application or theme invokes the reCAPTCHA api directly, ie via methods on window.grecaptcha then you will need to make changes. More information on wiring forms with hCaptcha using methods supported by Shopify is available in the dev docs