I can't understand why I need to validate user response on server side in recaptcha v2? Is just checking on client side sufficient? I suspect that server side validation is also important as otherwise recaptcha is just a checkbox.
Which bring me to my other question - How is recaptcha not different from just a checkbox?
I can't understand why I need to validate user response on server side in recaptcha v2?
An attacker could make an HTTP request to your server-side code that completely bypasses all your client-side code, including the CAPTCHA.
How is recaptcha not different from just a checkbox?
It applies a large collection of heuristics measured with JavaScript and then generates a custom value.
It isn't a simple true/false that can be determined just by scraping a page.