Fully hidden captcha for Laravel without reCaptcha

7.4.2 2023-06-12 09:30 UTC


Packagist Build Status StyleCI Scrutinizer Code Quality Laravel Nb downloads MIT License

Fully hidden spam protection solution for Laravel without reCaptcha. Based on several strategies to block the vast majority of spam bots without interfering with the user experience.

How does it work?

HiddenCaptcha will use three checking rules to block spam robots :

  • an encrypted token containing the user's IP, current session id, current user agent and a random string
  • a randomly named required field (will use the random string in the token)
  • a time limit (10 minutes by default)

The token is retrieved via an ajax call signed with sha256.


composer require sebastienheyd/hidden-captcha

Publish public assets :

php artisan vendor:publish --tag=laravel-assets

Extra steps for Laravel < 5.5 :

  • Add SebastienHeyd\HiddenCaptcha\HiddenCaptchaServiceProvider::class, at the end of the provider array in config/app.php
  • Add "HiddenCaptcha" => SebastienHeyd\HiddenCaptcha\Facades\HiddenCaptcha::class, at the end of the aliases array in config/app.php


In your forms, in the blade view :


To check your form, add the following validation rule:

'captcha' => 'hiddencaptcha'


Changing time limits

By default, the time limits for submitting a form are 0 second minimum to 1200 seconds maximum (10 minutes). Beyond that, hiddencaptcha will not validate the form.

These limits can be changed by declaring them in the validation rule, for example:

$rules = ['captcha' => 'hiddencaptcha:5,2400'];

You can also publish the configuration file to edit the default time limits :

php artisan vendor:publish --tag=captcha-config

Package update (Laravel < 8.6.9)

Hidden-captcha comes with a JS who must be publish. Since you typically will need to overwrite the assets every time the package is updated, you may use the --force flag :

php artisan vendor:publish --tag=laravel-assets --force

To auto update assets each time package is updated, you can add this command to post-update-cmd into the file composer.json at the root of your project.

    "scripts": {
        "post-update-cmd": [
            "@php artisan vendor:publish --tag=laravel-assets --force --ansi"