域名/软件包名称验证
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
reCAPTCHA 密钥通常与一组单独的网域或软件包名称相关联。对于 Web 用户,API 密钥对与您指定的网域和第一级子网域是唯一的。如果您通过多个顶级网域提供网站,则指定多个网域会很有帮助。
例如,如果您将 API 密钥对指定为 yoursite.com,则下表显示了 reCAPTCHA 是否适用于相应网域及其子网域变体。如果您指定其他域名或 TLD(例如 anothersite.com、yoursite.net),则相同的 reCAPTCHA 条件适用。
指定的网域 |
网站域名 |
reCAPTCHA 可以吗? |
yoursite.com |
yoursite.com |
是 |
www.yoursite.com |
是 |
subdomain.yoursite.comyoursite.com |
是 |
subdomain.<您的网站.com>:8080yoursite.com |
是 |
如果您想使用“localhost”进行开发,则必须将其添加到网域列表中。
对于移动设备用户,只有指定的软件包名称(例如 com.google.recaptcha.test)对应的 API 密钥对是唯一的。
但是,如果您的域名或软件包名称列表非常长、非常灵活或未知,我们允许您在 reCAPTCHA 端关闭域名或软件包名称检查,改为检查您的服务器。
为此,请在管理控制台中,前往密钥的“高级设置”部分,然后取消选中“网域/软件包名称验证”复选框。
安全警告
关闭这项保护功能本身会带来巨大的安全风险,因为密钥在网站运行方面没有任何限制,所以任何人都可能拿走并使用您的密钥。因此,在验证解决方案时,您需要检查主机名/软件包字段,并拒绝来自意外来源的所有解决方案。
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-25。
[null,null,["最后更新时间 (UTC):2025-07-25。"],[[["\u003cp\u003ereCAPTCHA keys are linked to specific domains or package names for security.\u003c/p\u003e\n"],["\u003cp\u003eYou can allow reCAPTCHA to work across multiple subdomains and domains by specifying them when creating the key.\u003c/p\u003e\n"],["\u003cp\u003eFor local development, "localhost" needs to be added to the allowed domains.\u003c/p\u003e\n"],["\u003cp\u003eDisabling domain/package name validation in reCAPTCHA settings introduces significant security risks and requires server-side hostname/package verification.\u003c/p\u003e\n"]]],["reCAPTCHA keys are tied to specific domains or package names. For websites, a key works for the specified domain and its first-level subdomains. Multiple domains can be added to a single key. For mobile apps, keys are tied to package names. If the domain/package list is extensive, checking can be disabled in the admin console's \"Advanced Settings.\" However, disabling it requires manual hostname/package verification on the server to prevent unauthorized use. Turning off domain or package checking without server side checking is a large security risk.\n"],null,["# Domain/Package Name Validation\n\nA reCAPTCHA key is normally tied to a set of individual domains or package\nnames. For web users, the API key pair is unique to the domains and first-level\nsubdomains that you specify. Specifying more than one domain could come in handy\nif you serve your website from multiple top level domains.\n\nFor example, if you specify the API key pair to *yoursite.com* , the following\ntable shows whether or not reCAPTCHA will work for the domain and its subdomain\nvariations. If you specify other domain names or TLDs (for example:\n*anothersite.com* , *yoursite.net*), the same reCAPTCHA conditions apply.\n\n| Specified domain | Website domain | Will reCAPTCHA work? |\n|------------------|-------------------------------|----------------------|\n| *yoursite.com* | *yoursite.com* | Yes |\n| *yoursite.com* | www.*yoursite.com* | Yes |\n| *yoursite.com* | subdomain.*yoursite.com* | Yes |\n| *yoursite.com* | subdomain.*yoursite.com*:8080 | Yes |\n| *yoursite.com* |\n| *yoursite.com* |\n\nIf you would like to use \"localhost\" for development, you must add it to the list of domains.\n\nFor mobile users, the API key pair is only unique to the specified [package\nnames](https://developer.android.com/guide/topics/manifest/manifest-element.html#package) (for\nexample, com.google.recaptcha.test).\n\nHowever, if your domain or package name list is extremely long, fluid, or unknown, we give you the\noption to turn off the domain or package name checking on reCAPTCHA's end, and instead check on your\nserver.\n\nTo do so, in the [admin console](//www.google.com/recaptcha/admin), go to \"Advanced Settings\" for\nyour key, and untick the \"Domain/Package Name Validation\" box.\n\nSecurity Warning\n----------------\n\nTurning off this protection by itself poses a large security risk - your key could be taken and used\nby anyone, as there are no restrictions as to the site it's on. For this reason, when verifying a\nsolution, you are **required** to check the [hostname/package\nfield](/recaptcha/docs/verify#api-response) and reject any solutions that are coming from unexpected\nsources."]]