Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). Varbase Media Header 9.2.1 Minor update available for module varbase_media_header (9.2.1). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

Webform Shield is a module that prevents spam submissions on your Drupal website by using encrypted dynamic keys and configurable timeouts. It works in the background, requiring human-like interaction and validating tokens to ensure legitimate users can submit forms while bots are blocked.

Webform Shield

Prevent form spam with encrypted dynamic keys and configurable timeouts

Overview

Webform Shield is an advanced spam protection module for Drupal that prevents robotic form submissions using encrypted dynamic keys with configurable timeouts. The module works completely behind the scenes and requires human-like interaction from end-users.

The module protects your forms by:

  • Generating server-side encrypted tokens with built-in expiration
  • Detecting human behavior (mouse movement, touch, keyboard, clicks, scrolling)
  • Validating tokens with session binding and one-time use enforcement
  • Automatically cleaning up expired tokens via cron
  • Using Drupal's cache system for secure token storage

Key Features

Security: Server-side token generation with cryptographic randomness, configurable expiration times (1-60 minutes), and session validation for enhanced protection.

User Experience: Works transparently in the background - legitimate users with JavaScript enabled won't notice any difference in form behavior.

Flexibility: Configure which forms to protect using wildcard patterns, set custom timeout periods, and exclude specific forms as needed.

Requirements

This module requires no modules outside of Drupal core.

Note: Users must have JavaScript enabled. Forms will be blocked for users without JavaScript.

Installation

Install as you would normally install a contributed Drupal module:

  1. Extract the module to your modules/custom directory
  2. Enable the module via the admin interface or drush:

    drush en webform_shield

  3. Navigate to Administration » Configuration » User Interface » Webform Shield to configure protected forms

Default Protected Forms

The module comes pre-configured to protect commonly targeted forms:

  • comment_* - All comment forms
  • user_login_form - User login form
  • user_pass - Password reset form
  • user_register_form - User registration form
  • contact_message_* - All contact forms
  • webform_* - All webforms

Credits

Inspiration: This module was inspired by the Antibot module, which pioneered the approach of using JavaScript-based human detection for spam prevention.

Enhanced Security: While building on Antibot's concepts, Webform Shield provides additional security features including server-side token management, configurable expiration times, session binding, cryptographic verification, and automatic token lifecycle management.

Support

For issues and feature requests, please use the module's issue queue or contact the maintainers.

Activity

Total releases
2
First release
Aug 2025
Latest release
8 months ago
Releases (12 mo)
2 ▲ from 0
Maintenance
Slowing

Releases

Version Type Release date
1.0.1 Stable Oct 22, 2025
1.0.0 Stable Aug 14, 2025