Posted on 16/01/2026 10:55:53
Thanks
I have seen through several sites - and it is the same thing they all see - and the same bot.
I have 2 pull requests - a homebrew version that will fix this particular problem with repeated gibberish in many fields. But I do not think that will be a long term solution so I am not sure we will let it through.
Then we have also implemented hCaptcha for DW10.
https://doc.dynamicweb.dev/documentation/fundamentals/dw10release/releasenotes/workiteminfo.html?workitemid=26907
This first version is created in a way so it is easy to setup without changing any templates - it will inject hcaptcha to the existing antispam fields and add the hcaptcha checks to the current antispam checks.
Below is the documentation for it - just to give you an idea of how it works and what it does.
Form
The Form settings are used to activate antispam on forms. Once activated, a set of hidden input fields are generated when a form is rendered. If these fields are filled (typically by bots), or if other antispam checks fail, the form submission is regarded as spam and blocked.
The following settings are available:
| Setting |
Use |
Notes |
| Activate antispam functionality – Forms |
Activates antispam on Forms for Editors forms |
Adds automatic hidden captcha fields and performs bot checks when forms are submitted. Requires the hidden antispam fields to be present in the form templates. |
| Activate antispam functionality – Users |
Activates antispam on Extranet forms |
Adds automatic hidden captcha fields and performs bot checks when users are created. Requires hidden antispam fields in the user creation template. |
| Activate antispam functionality – Comment |
Activates antispam on comment forms |
Adds automatic hidden captcha fields and performs bot checks when comments are submitted. Requires hidden antispam fields in the comment edit template. |
| Send notification to e-mail |
Enter an email address |
When spam is detected, an email containing the blocked submission data is sent to this address. |
| Seconds before post |
Enter value in seconds (default: 2) |
Forms submitted faster than this threshold are marked as spam. |
| Allowed submits from same IP |
Enter a value (default: 15) |
If more than this number of submissions are made from the same IP address, they are marked as spam. |
| IP submit timeframe in hours |
Specify timeframe in hours (default: 24) |
The time window used when counting submissions from the same IP address. |
| Disable extended checks |
Enable to disable extended checks |
Turns off timing checks and IP submission limits. |
| Enable hCaptcha |
Enables hCaptcha validation on forms with antispam enabled |
Adds an hCaptcha challenge and verifies the response server-side when a form is submitted. Requires hCaptcha keys to be configured. |
| hCaptcha site key (public) |
Enter the hCaptcha site key |
Public key used to render the hCaptcha challenge in forms. Safe to expose in frontend markup. |
| hCaptcha secret key (private) |
Enter the hCaptcha secret key |
Private key used server-side to verify hCaptcha responses. Must be kept confidential. |
hCaptcha
hCaptcha is an external bot-detection service that complements Dynamicweb’s built-in antispam mechanisms (hidden fields, timing checks, IP limits).
When hCaptcha is enabled, Dynamicweb automatically injects an hCaptcha widget into forms where antispam is active and validates the hCaptcha response when the form is submitted.
Creating an hCaptcha account
- Go to https://dashboard.hcaptcha.com
- Create an account and register your site/domain.
- Configure the site for passive / non-interactive behavior.
- Copy the site key and secret key into the corresponding Dynamicweb settings.
Note: hCaptcha requires outbound HTTPS access from the application to hcaptcha.com for verification. This is always possible in Dynamicweb Cloud.
Note: to test hCaptcha in local development environment, refer to hCaptcha documentation: https://docs.hcaptcha.com/#local-development
How it works in Dynamicweb
- hCaptcha runs automatically and invisibly in the background.
- No checkbox or user interaction is normally required.
- A verification token is generated and submitted with the form.
- If verification fails or the token is missing, the submission is treated as spam.
What to expect
- Improved protection against automated bots and scripted submissions.
- Minimal impact on user experience.
- No additional template work beyond existing antispam support.
What not to expect
- hCaptcha does not replace Dynamicweb’s existing antispam checks.
- It does not guarantee that all spam is blocked.
- It does not display a visible challenge unless hCaptcha determines it is necessary.
When to use hCaptcha
- Public-facing forms exposed to spam or abuse.
- User registration and comment forms.
- High-traffic forms where hidden-field and timing checks alone are insufficient.
Troubleshooting hCaptcha
If form submissions are unexpectedly blocked after enabling hCaptcha, use the steps below to identify and resolve the issue.
Forms are blocked immediately after enabling hCaptcha
Symptoms
- All form submissions are rejected.
- Users report that forms “do nothing” or return errors.
- Security logs show
Missing hCaptcha token or hCaptcha verify error.
Checks
- Verify that Enable hCaptcha is set to
true and both keys are configured.
- Confirm that the hCaptcha site key and secret key belong to the same hCaptcha site.
- Check that the configured domain in hCaptcha matches the site domain exactly (including subdomains if used).
Resolution
- Correct the keys or domain configuration.
- As a temporary workaround, disable Enable hCaptcha to restore form submissions immediately.
hCaptcha is visible or overlaps the form
Symptoms
- A visible hCaptcha widget appears.
- The widget overlaps form elements.
Explanation
- This usually indicates that the hCaptcha site is configured for interactive mode.
Resolution
- Update the hCaptcha site configuration to use passive / non-interactive behavior.
- Ensure that “Always challenge” or forced checkbox modes are disabled in the hCaptcha dashboard.
