Drupal is a registered trademark of Dries Buytaert
cms 2.1.3 Update released for Drupal core (2.1.3)! drupal 10.5.11 Update released for Drupal core (10.5.11)! drupal 11.3.11 Update released for Drupal core (11.3.11)! drupal 11.2.13 Update released for Drupal core (11.2.13)! drupal 10.6.10 Update released for Drupal core (10.6.10)! cms 2.1.2 Update released for Drupal core (2.1.2)! drupal 11.1.10 Update released for Drupal core (11.1.10)! drupal 10.5.10 Update released for Drupal core (10.5.10)! drupal 10.4.10 Update released for Drupal core (10.4.10)! drupal 11.2.12 Update released for Drupal core (11.2.12)! drupal 11.3.10 Update released for Drupal core (11.3.10)! drupal 10.6.9 Update released for Drupal core (10.6.9)! drupal 10.6.8 Update released for Drupal core (10.6.8)! drupal 11.3.9 Update released for Drupal core (11.3.9)! drupal 11.3.8 Update released for Drupal core (11.3.8)! drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)!
← All modules

hecapte_captcha

No security coverage
View on drupal.org

HeCAPTe CAPTCHA integrates HeCAPTe — a privacy-first, stateless proof-of-work CAPTCHA — into Drupal's CAPTCHA framework. No tracking, no third-party services, no image puzzles.

Traditional CAPTCHAs either rely on external services that track your users (Google reCAPTCHA, hCaptcha) or ask them to solve visual puzzles that frustrate people with accessibility needs. HeCAPTe takes a different approach: it makes the visitor's browser solve a computational puzzle (Equihash proof-of-work) silently in the background. Legitimate users on modern devices solve it in seconds without any interaction. Bots face a cost that makes mass submissions economically unviable.

Features

  • No user interaction required. The puzzle runs invisibly via WebAssembly — visitors never see a widget, checkbox, or image grid.
  • Privacy-preserving. No cookies, no tracking pixels, no data sent to third parties. Everything is verified by your own HeCAPTe server.
  • Stateless verification. The HeCAPTe server holds no session state for challenges. Replay attacks are blocked via a salt cache.
  • Self-hosted. You run the HeCAPTe server yourself (a single Go binary + SQLite). No SaaS dependency.
  • Accessible. Because there is nothing to solve from the user's perspective, the CAPTCHA presents no barrier to screen reader users or anyone with visual impairments.
  • Configurable difficulty. The HeCAPTe admin panel offers Low / Recommended / High presets (Equihash N/K parameters) depending on your spam threat level.
  • Plugs into Drupal's CAPTCHA module. Works on any form that the CAPTCHA module supports — comment forms, contact forms, user registration, Webform, and more.

Post-Installation

Before configuring this module, you need a running HeCAPTe server instance. See the HeCAPTe documentation for installation instructions. Make sure the HeCAPTe deployment includes a built web/static/solver.wasm — the module proxies this file through Drupal.

Once the server is running:

  1. Go to the HeCAPTe admin panel, create a site, and set the allowed origins to include your Drupal site's origin. Copy the Site Key.
  2. In Drupal, navigate to /admin/config/people/captcha/hecapte and enter your HeCAPTe server URL and Site Key.
  3. On the main CAPTCHA settings page, select hecapte_captcha/HeCAPTe as the challenge type for the forms you want to protect.

The module proxies the HeCAPTe runtime assets (worker.js, wasm_exec.js, solver.wasm) through Drupal's own routes, so no cross-origin requests are made from the browser to your HeCAPTe server.

Additional Requirements

  • CAPTCHA module 1.17 or 2.x
  • Drupal 10 or 11
  • A running HeCAPTe server instance (self-hosted). See https://codeberg.org/TheMeerkat/HeCAPTe for setup instructions. Requires Go to build, or use the provided Docker image. The server must have a built web/static/solver.wasm.
  • The HeCAPTe site key's allowed origins must include your Drupal site's origin.

Recommended modules/libraries

No additional Drupal modules are required. If you use Webform, HeCAPTe CAPTCHA works with it via the standard CAPTCHA module integration.

Similar projects

Several Drupal modules protect forms with CAPTCHAs, but differ in meaningful ways:

  • reCAPTCHA — uses Google's reCAPTCHA v2/v3. Requires sending user data to Google's servers. Not suitable for privacy-conscious deployments or GDPR contexts without additional consent handling.
  • hCaptcha — a third-party SaaS alternative to reCAPTCHA. Still routes traffic through an external service and sets third-party cookies.
  • Friendly Captcha — also uses proof-of-work and is privacy-friendlier than reCAPTCHA, but depends on the Friendly Captcha SaaS service. Not fully self-hosted.
  • ALTCHA — self-hosted proof-of-work CAPTCHA using SHA-256/Argon2id/Scrypt. Shows a visible checkbox widget. More mature with stable releases and security advisory policy coverage. HeCAPTe differs in using Equihash (memory-hard by default) and running completely invisible to the user.

Supporting this Module

If you find this module useful, consider starring the HeCAPTe repository on Codeberg and spreading the word.

Community Documentation

Activity

Total releases
2
First release
Jun 2026
Latest release
15 hours ago
Release cadence
0 days
Stability
0% stable

Releases

Version Type Release date
1.0.0-beta1 Pre-release Jun 3, 2026
1.0.x-dev Dev Jun 3, 2026