HeCAPTe

This module integrates HeCAPTe — a self-hosted, privacy-first proof-of-work CAPTCHA server — as a challenge type in Drupal's CAPTCHA module.

HeCAPTe makes the visitor's browser solve an Equihash puzzle silently in the background via WebAssembly. No interaction required, no tracking, no third-party services. This Drupal module connects your Drupal site to a HeCAPTe server you run yourself: it provides the configuration form, proxies the HeCAPTe runtime assets through Drupal, and verifies submitted proof-of-work tokens server-side during form validation.

Features

What this Drupal module provides:

• HeCAPTe challenge type registered with the CAPTCHA module — works on any form the CAPTCHA module supports (comments, contact forms, user registration, Webform, and more).
• Configuration form at /admin/config/people/captcha/hecapte for your HeCAPTe server URL and site key.
• Asset proxy routes — serves the HeCAPTe WebAssembly solver and worker through Drupal's own routes, so the browser never makes cross-origin requests to your HeCAPTe server.
• Server-side verification — calls the HeCAPTe /verify endpoint during Drupal form validation.

What HeCAPTe itself provides (on your HeCAPTe server):

• Invisible proof-of-work via Equihash — no checkbox, no image puzzle, no user interaction.
• Stateless challenge verification with replay protection via salt cache.
• Configurable difficulty presets (Low / Recommended / High).
• Admin panel for site key management with WebAuthn support.
• No cookies, no tracking, no data sent to third parties.

Post-Installation

Before configuring this module, you need a running HeCAPTe server instance. See the HeCAPTe documentation for installation instructions. Make sure the HeCAPTe deployment includes a built web/static/solver.wasm — the module proxies this file through Drupal.

Once the server is running:

1. Go to the HeCAPTe admin panel, create a site, and set the allowed origins to include your Drupal site's origin. Copy the Site Key.
2. In Drupal, navigate to /admin/config/people/captcha/hecapte and enter your HeCAPTe server URL and Site Key.
3. On the main CAPTCHA settings page, select hecapte_captcha/HeCAPTe as the challenge type for the forms you want to protect.

The module proxies the HeCAPTe runtime assets (worker.js, wasm_exec.js, solver.wasm) through Drupal's own routes, so no cross-origin requests are made from the browser to your HeCAPTe server.

Additional Requirements

• CAPTCHA module 1.17 or 2.x
• Drupal 10 or 11
• A running HeCAPTe server instance (self-hosted). See https://codeberg.org/TheMeerkat/HeCAPTe for setup instructions. Requires Go to build, or use the provided Docker image. The server must have a built web/static/solver.wasm.
• The HeCAPTe site key's allowed origins must include your Drupal site's origin.

Recommended modules/libraries

No additional Drupal modules are required. If you use Webform, HeCAPTe CAPTCHA works with it via the standard CAPTCHA module integration.

Similar projects

Several Drupal modules protect forms with CAPTCHAs, but differ in meaningful ways:

• reCAPTCHA — uses Google's reCAPTCHA v2/v3. Requires sending user data to Google's servers. Not suitable for privacy-conscious deployments or GDPR contexts without additional consent handling.
• hCaptcha — a third-party SaaS alternative to reCAPTCHA. Still routes traffic through an external service and sets third-party cookies.
• Friendly Captcha — also uses proof-of-work and is privacy-friendlier than reCAPTCHA, but depends on the Friendly Captcha SaaS service. Not fully self-hosted.
• ALTCHA — self-hosted proof-of-work CAPTCHA using SHA-256/Argon2id/Scrypt. Shows a visible checkbox widget. More mature with stable releases and security advisory policy coverage. HeCAPTe differs in using Equihash (memory-hard by default) and running completely invisible to the user.

Community Documentation

• HeCAPTe server documentation — full API reference, configuration options, and deployment guide for the HeCAPTe server.