Validation & Security
Inline validation, 5 CAPTCHA providers, GDPR compliance, XSS protection, and automated data retention — everything you need to collect data safely and keep it secure
Every form is a trust boundary between your users and your database. WebForms enforces that boundary at multiple layers: client-side validation catches mistakes before submission, server-side validation blocks manipulated data, CAPTCHA stops automated abuse, and data protection controls ensure compliance with privacy regulations.
Choose from 5 CAPTCHA providers — Google reCAPTCHA v2/v3/Enterprise, Cloudflare Turnstile, and hCaptcha. GDPR tools handle consent, export, and automatic data deletion.
Input Validation
Ensure every form submission contains clean, properly formatted data. WebForms validates input both in the browser and on the server, catching errors before they reach your database.
Enhanced Inline Real-Time Validation
Validates field input as the user types, showing success or error indicators in real time. No page reload needed. Error messages appear directly below the field, and valid fields get a visual confirmation. This immediate feedback reduces form abandonment by letting users fix mistakes as they go.
Built-in Validation Rules Library
A pre-built library of validation rules covering the most common scenarios: email format, URL format, numeric ranges, minimum and maximum length, alphanumeric-only, and more. Select a rule from a dropdown in the field configuration — no regex knowledge required for standard validation needs.
Regular Expression (RegEx) Support
Apply custom regular expression patterns to validate any input format. Use cases include tax ID patterns, postal codes for specific countries, license plate formats, SKU patterns, and any domain-specific format. The regex is validated both client-side in JavaScript and server-side in PHP.
Unique Field Values Validation
Prevents duplicate submissions by checking if the entered value already exists in previous submissions. Useful for registration forms (unique email), contest entries (one per person), and booking systems (no double-booking). The check happens server-side against the submission database.
Client-Side Validation
All validation rules execute in the browser before the form is submitted. Users see immediate feedback without waiting for a server round-trip. Client-side validation runs on blur (when leaving a field) and on submit, covering both incremental and final checks.
Server-Side Validation
Every submission is re-validated on the server regardless of client-side results. This protects against manipulated form data, disabled JavaScript, and automated submissions that bypass the browser. Server-side validation is the last line of defense before data enters your system.
Instant Error Feedback
Validation errors display immediately inline below the affected field with a clear message explaining what needs to be fixed. The form scrolls to the first error automatically. No full page reload required — the user stays in context and can fix the issue without losing their progress.
Field Masks for Special Input Formats
Apply input masks that enforce a specific format as the user types. For example, a phone mask automatically inserts dashes and parentheses as digits are entered. Masks guide the user visually while ensuring the stored value matches the expected format. Supported for dates, phone numbers, and custom patterns.
Advanced Customizable Validation
Chain multiple validation rules on a single field for complex requirements. For example, a field can be required AND must match a regex pattern AND must be unique across submissions. Rules execute in order, and the first failure stops with a specific error message for that rule.
Anti-Spam & CAPTCHA
Five CAPTCHA providers plus invisible protection techniques. Choose the anti-spam solution that fits your privacy requirements, user experience goals, and compliance needs.
Google reCAPTCHA v2
The classic "I am not a robot" checkbox challenge. When clicked, Google analyzes browser behavior to determine if the user is human. If uncertain, it presents an image selection puzzle. Effective against basic bots. Configurable per form — enable reCAPTCHA on high-risk forms and disable it on internal ones.
Google reCAPTCHA v3
Invisible, score-based bot detection that runs in the background without any user interaction. Google assigns a score from 0.0 (likely bot) to 1.0 (likely human) based on browsing behavior. You configure the threshold score in WebForms — submissions below the threshold are blocked. Zero friction for legitimate users.
Google reCAPTCHA Enterprise
Enterprise-grade bot detection with advanced risk analysis, detailed reason codes, and a management console. Provides granular risk scores with explanations of why a submission was flagged. Required for high-security environments and organizations already using Google Cloud security services.
Cloudflare Turnstile
A privacy-first CAPTCHA alternative from Cloudflare. Verifies users through non-intrusive browser challenges without tracking cookies or fingerprinting. No puzzles, no checkboxes — fully invisible to the user. Particularly suitable for GDPR-conscious businesses that want to avoid Google data processing.
hCaptcha
Privacy-focused CAPTCHA with strong accessibility support. Offers both checkbox and invisible modes. Unlike reCAPTCHA, hCaptcha does not track users across sites. Compliant with GDPR, CCPA, and LGPD privacy regulations out of the box. Supports audio challenges for visually impaired users.
Security & Data Protection
Protect submitted data at every stage — in transit, at rest, and during processing. WebForms handles HTTPS encryption, XSS sanitization, CSRF protection, GDPR compliance, and automated data retention out of the box.
GDPR Compliance Features
Built-in tools for GDPR compliance: consent checkboxes with configurable text, personal data export for subject access requests, and one-click deletion of all data associated with an email address. Consent records include timestamp and IP address for audit purposes. Works with Magento's native privacy tools.
Personal Data Cleanup Schedules
Automatically deletes personal data from form submissions after a configurable retention period. Set different retention periods per form — keep support tickets for 2 years but delete contest entries after 30 days. Cleanup runs via Magento cron and logs every deletion for compliance records.
HTTPS Encrypted Data Transmission
All form data is transmitted over HTTPS with TLS encryption. File uploads, personal information, and payment-related data are encrypted in transit between the browser and server. WebForms enforces HTTPS for form actions — submissions over plain HTTP are rejected to prevent data interception.
CSRF Token Protection
Every form includes a unique CSRF (Cross-Site Request Forgery) token that validates the submission originated from your site. Tokens are generated per session and expire after use. This prevents attackers from tricking users into submitting forms from malicious sites. Built into Magento's form key system.
XSS Protection
All user-submitted content is sanitized before storage and display to prevent cross-site scripting attacks. HTML tags, JavaScript, and malicious payloads are stripped or escaped. WYSIWYG editor output is cleaned through a whitelist of allowed tags. Admin panel displays submitted data through Magento's built-in escaping layer.
Secure File Storage
Uploaded files are stored with randomized path names outside predictable URL patterns. Direct URL access is blocked — files are served through a controller that checks permissions. Only the original submitter and authenticated admin users can access uploaded files. File metadata is stored separately from file content.
Data Privacy Controls
Granular admin settings control what data is collected and how long it is kept. Disable IP address logging on forms where it is not needed. Choose whether to store submission data in the database, send it only via email, or both. Per-form retention policies let you balance data utility against privacy risk.
CAPTCHA Provider Comparison
All five providers are built in. Choose based on your privacy requirements, user experience goals, and existing infrastructure.
Frequently Asked Questions
WebForms supports five CAPTCHA providers: Google reCAPTCHA v2 (checkbox), Google reCAPTCHA v3 (invisible score-based), Google reCAPTCHA Enterprise, Cloudflare Turnstile, and hCaptcha. Each can be enabled per form, so you can use different providers on different forms.
WebForms uses a dual-layer validation system. Client-side validation runs in the browser as users fill out the form, providing immediate inline feedback. Server-side validation re-checks all data after submission to protect against manipulated requests. Both layers use the same rule set configured in the admin panel. Supported rules include required fields, email/URL format, numeric ranges, regex patterns, and unique value checks.
WebForms includes built-in GDPR compliance tools: configurable consent checkboxes, personal data export for subject access requests, one-click deletion of all data linked to an email address, and automatic data cleanup schedules. Consent records include timestamps and IP addresses for audit trails. These features work alongside Magento's native privacy framework.
In the WebForms form editor, open the form settings and navigate to the CAPTCHA section. Select your preferred provider (reCAPTCHA v2, v3, Enterprise, Turnstile, or hCaptcha), enter your site key and secret key, and save. The CAPTCHA is added to the form automatically. No template changes or custom code required. You can set different CAPTCHA providers per form.
Yes. Cloudflare Turnstile is fully supported as an alternative to Google reCAPTCHA. Turnstile verifies users without tracking cookies or visual puzzles, making it a strong choice for privacy-conscious businesses. Configure it in the form settings with your Turnstile site key and secret key. It works identically to reCAPTCHA from the admin perspective.
When a submission reaches the configured retention period, WebForms automatically deletes the submission data, including uploaded files, from the database via Magento cron. Deletion is permanent and logged for compliance purposes. You can set different retention periods per form and choose to keep or delete files independently from submission records.
All user input is sanitized before storage using Magento's built-in escaping and filtering framework. HTML tags and JavaScript are stripped from text fields. WYSIWYG content goes through a tag whitelist that allows formatting markup but blocks scripts. When displaying submission data in the admin panel, values are escaped through Magento's output security layer to prevent stored XSS.
Secure Forms, Trusted Data
5 CAPTCHA providers, dual-layer validation, GDPR compliance, and automated data retention — built into every form