Drupal is a registered trademark of Dries Buytaert
cva Module cva crossed 1,000 active installs. ai_dashboard Module ai_dashboard crossed 1,000 active installs.
← All distributions

webform_shield

No security coverage
View on drupal.org

Webform Shield

Prevent form spam with encrypted dynamic keys and configurable timeouts

Overview

Webform Shield is an advanced spam protection module for Drupal that prevents robotic form submissions using encrypted dynamic keys with configurable timeouts. The module works completely behind the scenes and requires human-like interaction from end-users.

The module protects your forms by:

  • Generating server-side encrypted tokens with built-in expiration
  • Detecting human behavior (mouse movement, touch, keyboard, clicks, scrolling)
  • Validating tokens with session binding and one-time use enforcement
  • Automatically cleaning up expired tokens via cron
  • Using Drupal's cache system for secure token storage

Key Features

Security: Server-side token generation with cryptographic randomness, configurable expiration times (1-60 minutes), and session validation for enhanced protection.

User Experience: Works transparently in the background - legitimate users with JavaScript enabled won't notice any difference in form behavior.

Flexibility: Configure which forms to protect using wildcard patterns, set custom timeout periods, and exclude specific forms as needed.

Requirements

This module requires no modules outside of Drupal core.

Note: Users must have JavaScript enabled. Forms will be blocked for users without JavaScript.

Installation

Install as you would normally install a contributed Drupal module:

  1. Extract the module to your modules/custom directory
  2. Enable the module via the admin interface or drush:

    drush en webform_shield

  3. Navigate to Administration » Configuration » User Interface » Webform Shield to configure protected forms

Default Protected Forms

The module comes pre-configured to protect commonly targeted forms:

  • comment_* - All comment forms
  • user_login_form - User login form
  • user_pass - Password reset form
  • user_register_form - User registration form
  • contact_message_* - All contact forms
  • webform_* - All webforms

Credits

Inspiration: This module was inspired by the Antibot module, which pioneered the approach of using JavaScript-based human detection for spam prevention.

Enhanced Security: While building on Antibot's concepts, Webform Shield provides additional security features including server-side token management, configurable expiration times, session binding, cryptographic verification, and automatic token lifecycle management.

Support

For issues and feature requests, please use the module's issue queue or contact the maintainers.

Activity

Total releases
2
First release
Aug 2025
Latest release
4 months ago
Release cadence
69 days
Stability
100% stable

Releases

Version Type Release date
1.0.1 Stable Oct 22, 2025
1.0.0 Stable Aug 14, 2025