What happened?
When validating reCAPTCHA on form submit, Freeform uses a bare GuzzleHttp\Client instead of Craft’s proxy-aware client. Outbound requests to Google’s siteverify endpoint therefore do not respect Craft’s httpProxy general config or config/guzzle.php.
This breaks reCAPTCHA validation on hosts where outbound HTTPS must go through a forward proxy (e.g. behind a WAF or corporate egress
proxy).
Affected code:
$client = new Client();
// ...
$response = $client->post('https://www.google.com/recaptcha/api/siteverify', [ ... ]);
Suggested fix:
$client = \Craft::createGuzzleClient();
Errors and Stack Trace (if available)
How can we reproduce this?
- Configure Craft with an HTTP proxy, e.g. in config/general.php:
'httpProxy' => 'http://proxy.example.com:8080',
- Enable reCAPTCHA in Freeform (v3 or v2).
- Submit a form on an environment where direct access to https://www.google.com is blocked but proxy access works.
Freeform Edition
Pro
Freeform Version
5.15.9
Craft Version
5.9.22
When did this issue start?
Previous Freeform Version
No response
What happened?
When validating reCAPTCHA on form submit, Freeform uses a bare GuzzleHttp\Client instead of Craft’s proxy-aware client. Outbound requests to Google’s siteverify endpoint therefore do not respect Craft’s httpProxy general config or config/guzzle.php.
This breaks reCAPTCHA validation on hosts where outbound HTTPS must go through a forward proxy (e.g. behind a WAF or corporate egress
proxy).
Affected code:
Suggested fix:
Errors and Stack Trace (if available)
How can we reproduce this?
'httpProxy' => 'http://proxy.example.com:8080',
Freeform Edition
Pro
Freeform Version
5.15.9
Craft Version
5.9.22
When did this issue start?
Previous Freeform Version
No response