hCaptcha
hCaptcha is a privacy-oriented CAPTCHA service used to block automated abuse on forms and logins. ScanMalware detects it from the hCaptcha widget script and challenge iframe.
Its presence indicates anti-automation protection. On credential-collecting pages a CAPTCHA can also be used by phishing kits to appear legitimate, so it should be read in context.
Commonly deployed alongside hCaptcha
Of the 3,946 public scans where hCaptcha was detected, these are the technologies most often present on the same site. The share is the percentage of hCaptcha sites that also ran each one.
| Technology | Category | Share of hCaptcha sites |
|---|---|---|
| Cloudflare | wappalyzer | 76.6% |
| reCAPTCHA | wappalyzer | 75.35% |
| HTTP/3 | wappalyzer | 68.79% |
| Cloudflare Turnstile | wappalyzer | 52.66% |
| Google Cloud | wappalyzer | 45.77% |
| Google Cloud CDN | wappalyzer | 45.77% |
| HSTS | wappalyzer | 30.72% |
| Open-Graph-Protocol | miscellaneous | 30.52% |
| Cloudflare Bot Management | wappalyzer | 23.89% |
| jQuery | wappalyzer | 23.4% |
| X-UA-Compatible | miscellaneous | 22.44% |
| Google Analytics | wappalyzer | 19.86% |
| PoweredBy | miscellaneous | 19.15% |
| JQuery | miscellaneous | 18.36% |
How ScanMalware detects hCaptcha
hCaptcha is detected by analysing the response headers, HTML markup, JavaScript runtime and asset URLs captured when ScanMalware loads the site in a real headless browser.
From any scan you can pivot into related signals — JARM TLS fingerprints, ASN ownership and BGP routing, certificate history, JavaScript analysis and the overall security verdict — to understand not just that hCaptcha is present, but how it is being used. Open the full search interface for hCaptcha →
Recent public scans featuring hCaptcha
A rolling sample of recent public scans where hCaptcha was detected. Listing a site here is not a safety judgement — open a scan to see its full verdict.
| Site | Scanned |
|---|---|
| HIPAA- and TCPA-Aware Dental Texting: A Practical Compliance Guide | Dental GHL Snapshot https://dental-ghl-website-astro-ddu.pages.dev/guides/hipaa-tcpa-dental-texting | 2026-06-16 |
| Comune di San Martino del Lago – Sito web istituzionale https://www.comune.sanmartinodellago.cr.it | 2026-06-16 |
| Comune di Pioraco https://www.comune.pioraco.mc.it | 2026-06-16 |
| https://business.optimum.net | 2026-06-16 |
| Log in | Web https://app2.highwire.com | 2026-06-16 |
| TaskUs - BPO & Digital Transformation Services https://taskus.com | 2026-06-16 |
| LM Bambini https://lmbambini.com.au | 2026-06-16 |
| Bakr Cookie Dough https://www.bakrcookies.com | 2026-06-16 |
Frequently asked questions about hCaptcha
- Does using hCaptcha mean a website is unsafe?
- No. hCaptcha is a stack component, not a verdict. ScanMalware scores the whole page — its scripts, redirects, certificates, threat-intelligence matches and behaviour — so a site using hCaptcha can be perfectly safe or actively malicious.
- How many sites using hCaptcha has ScanMalware scanned?
- hCaptcha has been detected in 3,946 public scans on ScanMalware.com. Each scan is a real headless-browser visit, and the figure updates as new URLs are submitted.
- What technologies are commonly used with hCaptcha?
- Across scanned sites, hCaptcha is most often seen alongside Cloudflare, reCAPTCHA and HTTP/3. The full co-occurrence breakdown is listed on this page.
Browse all profiled technologies on the technology index, or scan a URL to see its full stack.