# Cap — Self-Hosted Privacy-First CAPTCHA Solution > Cap is an open-source, self-hosted CAPTCHA system that protects web forms and APIs from bots using proof-of-work challenges instead of tracking cookies or third-party services. ## Install Save as a script file and run: # Cap — Self-Hosted Privacy-First CAPTCHA Solution ## Quick Use ```bash git clone https://github.com/tiagozip/cap.git cd cap bun install bun run dev ``` ## Introduction Cap is an open-source CAPTCHA system designed as a privacy-respecting alternative to services like reCAPTCHA and hCaptcha. Instead of tracking users with cookies or behavioral analysis, Cap uses proof-of-work challenges that bots find computationally expensive while remaining seamless for legitimate users. It can be fully self-hosted with no data sent to external services. ## What Cap Does - Protects web forms, login pages, and APIs from automated bot submissions - Uses proof-of-work cryptographic challenges instead of image puzzles or tracking - Provides a lightweight JavaScript widget for easy frontend integration - Validates challenge responses on the server side with minimal latency - Operates without cookies, fingerprinting, or third-party tracking scripts ## Architecture Overview Cap consists of a server component and a client-side JavaScript widget. When a user encounters a protected form, the widget requests a challenge from the Cap server. The browser computes a proof-of-work solution, which is submitted along with the form data. The server verifies the solution cryptographically. The computational cost is trivial for a single request but becomes prohibitive for large-scale bot attacks. Built with Bun for fast server-side execution. ## Self-Hosting & Configuration - Clone the repository and install dependencies with Bun - Configure the server port and difficulty level in environment variables - Adjust the proof-of-work difficulty to balance security and user experience - Embed the client widget in your HTML forms with a simple script tag - Deploy behind a reverse proxy for production use with TLS termination ## Key Features - Zero tracking: no cookies, no fingerprinting, no third-party data collection - Proof-of-work challenges that scale difficulty against automated attacks - Lightweight client widget with minimal impact on page load times - Simple server-side validation API for backend integration - Self-hosted deployment giving full control over the anti-bot infrastructure ## Comparison with Similar Tools - **reCAPTCHA** — Google-owned with extensive tracking; Cap collects no user data - **hCaptcha** — third-party service; Cap is fully self-hosted - **Turnstile** — Cloudflare-managed; Cap requires no external service dependency - **Friendly Captcha** — commercial proof-of-work CAPTCHA; Cap is free and open source - **mCaptcha** — similar proof-of-work approach; Cap uses Bun for a simpler deployment model ## FAQ **Q: How does Cap prevent bots without image challenges?** A: Cap uses proof-of-work cryptographic puzzles. Each request must solve a computational challenge, making mass bot requests expensive. **Q: Does Cap work with any web framework?** A: Yes. The client widget is a standalone JavaScript file, and the server exposes a simple HTTP API for validation. **Q: How do I adjust difficulty for my traffic level?** A: The difficulty parameter in the server configuration controls how many hash iterations are required per challenge. **Q: Does Cap affect page performance?** A: The client widget is lightweight. Proof-of-work computation runs in the background and completes in milliseconds for normal users. ## Sources - https://github.com/tiagozip/cap --- Source: https://tokrepo.com/en/workflows/asset-f6a55e5a Author: Script Depot