Antibot

Lightweight anti-spam module that prevents robotic form submissions by requiring JavaScript and human interaction.

antibot
67,601 sites
164
drupal.org
gui api
spam prevention bot protection form security javascript validation anti-spam security
Drupal 8 Drupal 9 Drupal 10 Drupal 11

インストール

Drupal 11, 10, 9, 8 v2.0.4
composer require 'drupal/antibot:^2.0'

概要

Antibotは、革新的な方法でウェブサイト上のロボットによるフォーム送信を排除するために設計された、非常に軽量なモジュールです。このモジュールは完全にバックグラウンドで動作し、エンドユーザーによる操作を一切必要としません。

保護メカニズムは、フォームのアクションを無効なパスに変更し、隠しキーフィールドを挿入することで機能します。JavaScriptが人間らしい動作(マウスの移動、タッチイベント、TabまたはEnterキーの押下)を検知すると、元のフォームアクションを復元し、正しいキー値を設定します。JavaScriptが有効でない場合、または人間らしい動作が検出されない場合、フォーム送信は失敗します。

エンドユーザーに必要な唯一の条件は、JavaScriptが有効になっていることです。無効な場合、保護されたフォームには、フォームを使用するにはJavaScriptが必要である旨のメッセージが表示されます。

Features

  • ユーザー操作を必要としない透明なスパム対策保護(CAPTCHAなし)
  • マウスの動き、タッチジェスチャー、またはキーボードナビゲーション(Tab/Enter)による人間の動作を検出
  • ボットの送信を無効なページ(/antibot)にリダイレクトしてフォームを保護
  • フォームIDマッチングのワイルドカードパターンをサポート(例:comment_*ですべてのコメントフォームを保護)
  • ワイルドカードにマッチした場合でも、特定のフォームを保護から除外する機能
  • ページ上のフォームIDとその保護状態を表示するデバッグモード
  • 信頼できるユーザーがAntibot保護をスキップできる権限ベースのバイパス
  • 保護設定変更時の適切なキャッシュ無効化
  • 個別のWebform保護設定のためのWebformモジュールとの統合
  • 他のモジュールが保護状態を変更したり、拒否された送信に応答するためのHook

Use Cases

Protecting Comment Forms from Spam Bots

By default, Antibot protects all comment forms using the pattern 'comment_*'. Spam bots that don't execute JavaScript or simulate human interaction will be blocked from posting comments. This reduces comment spam without requiring users to solve CAPTCHAs.

Securing User Registration Against Automated Signups

The user_register_form is protected by default, preventing automated account creation by bots. This is especially useful for sites that allow open registration but want to prevent mass fake account creation.

Protecting Contact Forms Without Annoying Users

Contact forms (contact_message_*) are protected by default. Unlike CAPTCHA solutions, users don't need to prove they're human - they just need to interact naturally with the page (moving their mouse or using keyboard navigation).

Protecting Custom Forms

Enable the 'Display form IDs' option temporarily to see the form ID of any custom form on your site. Then add that form ID (or a wildcard pattern) to the protected forms list. Custom webform submissions can be protected using patterns like 'webform_submission_*'.

Allowing Trusted Users to Bypass Protection

Assign the 'Skip antibot' permission to trusted roles (like administrators or content editors) so they can submit forms without antibot validation. This is useful for automated testing or for users who may have accessibility tools that don't trigger mouse/keyboard events.

Fine-Grained Form Protection Control

Use the excluded_form_ids setting to exempt specific forms from protection even when they match a wildcard pattern. For example, protect all contact forms with 'contact_message_*' but exclude a specific one with 'contact_message_newsletter' in the excluded list.

Integration with Webform Module

When the Webform module is installed, individual webforms can have Antibot protection enabled through the webform's third-party settings. The module automatically manages the form_ids configuration when webform settings are saved.

Tips

  • Use wildcard patterns (e.g., 'comment_*') to protect multiple related forms with a single entry rather than listing each form individually
  • Enable 'Display form IDs' only temporarily when setting up protection - leaving it enabled on production may expose internal form IDs
  • The 'Skip antibot' permission is useful for automated testing environments where JavaScript interaction cannot be simulated
  • Antibot works well in combination with other anti-spam modules like Honeypot for layered protection
  • Views exposed forms have special handling - they can be protected but will work on initial page load before user interaction
  • Protected forms get the 'antibot' CSS class added, which you can use for custom styling if needed

Technical Details

Admin Pages 1
Antibot settings /admin/config/user-interface/antibot

Configure which forms are protected by Antibot and enable debug mode to identify form IDs. This page allows administrators to specify form ID patterns using wildcards to protect multiple forms at once, exclude specific forms from protection, and enable a debug mode that displays form IDs on pages.

権限 2
Administer antibot configuration

Allows access to the Antibot configuration page at /admin/config/user-interface/antibot. Users with this permission can modify which forms are protected and enable/disable the form ID display debug mode. This permission is marked as restricted.

Skip antibot

Antibot protection will be completely bypassed for users with this permission. Useful for trusted administrators or for automated testing purposes.

Hooks 3
hook_antibot_form_status_alter

Allows modules to modify whether a specific form should be protected by Antibot. Called after the form ID is matched against the configured patterns.

hook_antibot_reject

React to the rejection of a form submission. Called when Antibot blocks a form submission due to missing or invalid antibot key (bot behavior detected).

hook_antibot_generate_key_alter

Alter the encrypted key generated for form validation. Allows modules to customize the key generation process.

Troubleshooting 5
Form submissions fail with 'Submission failed' error for legitimate users

Ensure the user has JavaScript enabled in their browser. If using accessibility tools or automation, consider granting the 'Skip antibot' permission to affected users.

Custom webform with custom template doesn't work with Antibot

Add the antibot fields to your custom form template: {{ element.antibot_no_js }} and {% if element.antibot_key %}{{ element.antibot_key }}{% endif %}. The conditional check for antibot_key prevents duplicate field rendering.

Forms are being submitted by bots despite Antibot protection

Some sophisticated bots can execute JavaScript and simulate mouse events. Consider combining Antibot with other spam protection measures like Honeypot or reCAPTCHA for high-value forms.

Not sure which form ID to add to protection list

Enable the 'Display form IDs' checkbox in Antibot settings. Then visit the page containing the form - the form ID and its protection status will be displayed as a message. Remember to disable this option after identifying the form ID.

Form cache not invalidating after changing Antibot settings

The module includes proper cache tag handling. If you experience caching issues, try clearing all caches via Drush (drush cr) or the Performance settings page.

Security Notes 5
  • The antibot key is generated using Drupal's cryptographic HMAC function with the site's hash salt, making it secure against prediction attacks
  • The key is shuffled before being sent to the browser and unshuffled by JavaScript, adding an additional layer of obfuscation
  • Forms without JavaScript fall back to the /antibot endpoint which displays an error, not exposing any sensitive information
  • Programmatically submitted forms (using FormState::setProgrammed()) bypass Antibot validation, allowing legitimate automated form submissions
  • The module does not store any user data or tracking information - it only validates form submissions at the time of submission