Drupal is a registered trademark of Dries Buytaert
Search API Solr 4.3.13 Minor update available for module search_api_solr (4.3.13). Search API Solr 4.3.12 Minor update available for module search_api_solr (4.3.12). smart 404 1.1.3 Minor update available for module smart_404 (1.1.3). smart 404 1.1.2 Minor update available for module smart_404 (1.1.2). IntelligenceBank DAM Connector 4.1.4 Minor update available for module intelligencebank (4.1.4). IntelligenceBank DAM Connector 5.2.3 Minor update available for module intelligencebank (5.2.3). Soccerbet 1.1.14 Minor update available for module soccerbet (1.1.14). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Ultimate Cron Summary 2.0.0 Major update available for module ultimate_cron_summary (2.0.0). Content Translation Redirect Module content_translation_redirect crossed 1,000 active installs.

HeCAPTe

3 sites Security covered
View on drupal.org

This module integrates HeCAPTe, a self-hosted, privacy-first proof-of-work CAPTCHA server, into Drupal's CAPTCHA system. It allows your website visitors' browsers to silently solve a puzzle in the background without any user interaction, providing a privacy-focused alternative to traditional CAPTCHAs. The module connects to your self-hosted HeCAPTe server and verifies the solutions on your Drupal site.

This module integrates HeCAPTe — a self-hosted, privacy-first proof-of-work CAPTCHA server — as a challenge type in Drupal's CAPTCHA module.

HeCAPTe makes the visitor's browser solve an Equihash puzzle silently in the background via WebAssembly. No interaction required, no tracking, no third-party services. This Drupal module connects your Drupal site to a HeCAPTe server you run yourself: it provides the configuration form, proxies the HeCAPTe runtime assets through Drupal, and verifies submitted proof-of-work tokens server-side during form validation.

Features

What this Drupal module provides:

  • HeCAPTe challenge type registered with the CAPTCHA module — works on any form the CAPTCHA module supports (comments, contact forms, user registration, Webform, and more).
  • Configuration form at /admin/config/people/captcha/hecapte for your HeCAPTe server URL and site key.
  • Asset proxy routes — serves the HeCAPTe WebAssembly solver and worker through Drupal's own routes, so the browser never makes cross-origin requests to your HeCAPTe server.
  • Server-side verification — calls the HeCAPTe /verify endpoint during Drupal form validation.

What HeCAPTe itself provides (on your HeCAPTe server):

  • Invisible proof-of-work via Equihash — no checkbox, no image puzzle, no user interaction.
  • Stateless challenge verification with replay protection via salt cache.
  • Configurable difficulty presets (Low / Recommended / High).
  • Admin panel for site key management with WebAuthn support.
  • No cookies, no tracking, no data sent to third parties.

Post-Installation

Before configuring this module, you need a running HeCAPTe server instance. See the HeCAPTe documentation for installation instructions. Make sure the HeCAPTe deployment includes a built web/static/solver.wasm — the module proxies this file through Drupal.

Once the server is running:

  1. Go to the HeCAPTe admin panel, create a site, and set the allowed origins to include your Drupal site's origin. Copy the Site Key.
  2. In Drupal, navigate to /admin/config/people/captcha/hecapte and enter your HeCAPTe server URL and Site Key.
  3. On the main CAPTCHA settings page, select hecapte_captcha/HeCAPTe as the challenge type for the forms you want to protect.

The module proxies the HeCAPTe runtime assets (worker.js, wasm_exec.js, solver.wasm) through Drupal's own routes, so no cross-origin requests are made from the browser to your HeCAPTe server.

Additional Requirements

  • CAPTCHA module 1.17 or 2.x
  • Drupal 10 or 11
  • A running HeCAPTe server instance (self-hosted). See https://codeberg.org/TheMeerkat/HeCAPTe for setup instructions. Requires Go to build, or use the provided Docker image. The server must have a built web/static/solver.wasm.
  • The HeCAPTe site key's allowed origins must include your Drupal site's origin.

No additional Drupal modules are required. If you use Webform, HeCAPTe CAPTCHA works with it via the standard CAPTCHA module integration.

Similar projects

Several Drupal modules protect forms with CAPTCHAs, but differ in meaningful ways:

  • reCAPTCHA — uses Google's reCAPTCHA v2/v3. Requires sending user data to Google's servers. Not suitable for privacy-conscious deployments or GDPR contexts without additional consent handling.
  • hCaptcha — a third-party SaaS alternative to reCAPTCHA. Still routes traffic through an external service and sets third-party cookies.
  • Friendly Captcha — also uses proof-of-work and is privacy-friendlier than reCAPTCHA, but depends on the Friendly Captcha SaaS service. Not fully self-hosted.
  • ALTCHA — self-hosted proof-of-work CAPTCHA using SHA-256/Argon2id/Scrypt. Shows a visible checkbox widget. More mature with stable releases and security advisory policy coverage. HeCAPTe differs in using Equihash (memory-hard by default) and running completely invisible to the user.

Community Documentation

Activity

Total releases
3
First release
Jun 2026
Latest release
4 weeks ago
Releases (12 mo)
3 ▲ from 0
Maintenance
Active

Release Timeline

Releases

Version Type Release date
1.0.0 Stable Jun 19, 2026
1.0.0-beta1 Pre-release Jun 3, 2026
1.0.x-dev Dev Jun 3, 2026