I'm using the "no-captcha" captcha from the Google API. On some browsers (notably Chromium on Linux ... hmm, politically interesting ...) it fails to do its fancy magic and falls back to the old fashioned distorted image style captcha.
This isn't a problem in itself, and works fine when I run the web server locally, but when I run it on staging it shows a broken image link symbol instead of the fallback image, and I can see that the Google API is giving a 400. Nothing in the code is different from the local version apart from the site key. I haven't placed the secret key anywhere yet.
I haven't yet implemented anything server-side relating to the captcha - that part of the form data is ignored by the server - so it doesn't seem like it should be anything to do with the firewall or proxy (it's EC2) but perhaps I am misunderstanding how these things work.