How to configure ALTCHA (100% GDPR Compliant)

ALTCHA is a free, open-source, and privacy-first alternative to traditional Captchas. Instead of analyzing user behavior or asking for image identification, it uses a "Proof of Work" mechanism.

The module asks the visitor's device to solve a complex mathematical problem in the background. This is easy for a human's browser but expensive and slow for bots trying to attack in mass.

Why choose ALTCHA?

  • 100% GDPR & Privacy Compliant: It is self-hosted on your server. No user data, cookies, or fingerprints are ever sent to third parties (unlike Google or hCaptcha).
  • No User Interaction: It is frictionless. Legitimate users are verified silently.
  • Accessible (WCAG): Designed to work with assistive technologies, removing barriers for users with disabilities.

Global Compliance

ALTCHA is the safest choice for strict legal environments. It complies with:

  • Data Protection: GDPR (EU), HIPAA (US), CCPA (California), PIPEDA (Canada), LGPD (Brazil), DPDPA (India) and PIPL (China).
  • Accessibility: WCAG (Web Content Accessibility Guidelines) and EAA (European Accessibility Act).

Configuration Settings

To set up ALTCHA, select it as your Captcha Provider in the module settings.

1. Generating the Secret Key

Since ALTCHA runs on your server, you do not need to register anywhere. You only need a single Secret Key to verify the solutions.

  • Simply click the Generate Key button.
  • The module will instantly create a secure cryptographic key (HMAC Secret) for you.
ALTCHA configuration in the module settings showing the Secret Key field and Generate button
Click the Generate button to create your secure self-hosted ALTCHA Secret Key

2. Complexity Level

This setting determines how difficult the "math problem" is for the visitor's device.

  • Minimal: Fastest calculation. Use this if your customers primarily use very old mobile devices.
  • Low (Default): Fast calculation. Offers a good balance between security and user experience.
  • Medium: Increased difficulty. Recommended if you notice automated bots bypassing the Low setting.
  • High: Requires more processing power. Provides high security but may take 10-20 seconds on low-end devices.
  • Very High: Maximum security. Only use this if under heavy attack, as it may cause significant delays on mobile phones.

3. Challenge Expiration (Replay Attack Protection)

Note: This setting is located in the Advanced tab of the module configuration.

This prevents spammers from "stockpiling" solved challenges to use later. A solved puzzle is only valid for a short window of time.

  • Default: 300 seconds (5 minutes).
  • If a user fills out a form but waits more than 5 minutes to submit it, their solution will expire. The module will automatically request a new one behind the scenes to ensure the submission goes through without errors.
ALTCHA Challenge Expiration setting in the Advanced Tab
ALTCHA Challenge Expiration setting in the Advanced Tab
© WebshopWorks - Professional PrestaShop Addons