问题
In the documentation of recaptcha it says that the remoteip argument is optional, but I don't understand its purpose, because even if I send a different IP than REMOTE_ADDR, the response from Google is still a valid captcha.
回答1:
It is already asked in Information Security and I will provide the accepted answer here, too. Because it is not clear that it is mainly a security issue:
Because there could be a DNS/hosts reroute in place to allow the captcha to be parsed differently by a malicious user
One possible scenario is farming cheap labour to manually solve captchas and then submit them back with the form. Since the recaptcha only will serve the image once this is the lazy way to farm this out. ( redirect the requested image to elsewhere ).
If the IP address which requests the image is different to the IP address that requests the page then this would indicate this style of attack.
来源:https://stackoverflow.com/questions/46632194/google-recaptcha-remoteip-explanation