Cap — Self-Hosted Privacy-First CAPTCHA Solution

Introduction

Cap is an open-source CAPTCHA system designed as a privacy-respecting alternative to services like reCAPTCHA and hCaptcha. Instead of tracking users with cookies or behavioral analysis, Cap uses proof-of-work challenges that bots find computationally expensive while remaining seamless for legitimate users. It can be fully self-hosted with no data sent to external services.

What Cap Does

• Protects web forms, login pages, and APIs from automated bot submissions
• Uses proof-of-work cryptographic challenges instead of image puzzles or tracking
• Provides a lightweight JavaScript widget for easy frontend integration
• Validates challenge responses on the server side with minimal latency
• Operates without cookies, fingerprinting, or third-party tracking scripts

Architecture Overview

Cap consists of a server component and a client-side JavaScript widget. When a user encounters a protected form, the widget requests a challenge from the Cap server. The browser computes a proof-of-work solution, which is submitted along with the form data. The server verifies the solution cryptographically. The computational cost is trivial for a single request but becomes prohibitive for large-scale bot attacks. Built with Bun for fast server-side execution.

Self-Hosting & Configuration

• Clone the repository and install dependencies with Bun
• Configure the server port and difficulty level in environment variables
• Adjust the proof-of-work difficulty to balance security and user experience
• Embed the client widget in your HTML forms with a simple script tag
• Deploy behind a reverse proxy for production use with TLS termination

Key Features

• Zero tracking: no cookies, no fingerprinting, no third-party data collection
• Proof-of-work challenges that scale difficulty against automated attacks
• Lightweight client widget with minimal impact on page load times
• Simple server-side validation API for backend integration
• Self-hosted deployment giving full control over the anti-bot infrastructure

Comparison with Similar Tools

• reCAPTCHA — Google-owned with extensive tracking; Cap collects no user data
• hCaptcha — third-party service; Cap is fully self-hosted
• Turnstile — Cloudflare-managed; Cap requires no external service dependency
• Friendly Captcha — commercial proof-of-work CAPTCHA; Cap is free and open source
• mCaptcha — similar proof-of-work approach; Cap uses Bun for a simpler deployment model

FAQ

Q: How does Cap prevent bots without image challenges? A: Cap uses proof-of-work cryptographic puzzles. Each request must solve a computational challenge, making mass bot requests expensive.

Q: Does Cap work with any web framework? A: Yes. The client widget is a standalone JavaScript file, and the server exposes a simple HTTP API for validation.

Q: How do I adjust difficulty for my traffic level? A: The difficulty parameter in the server configuration controls how many hash iterations are required per challenge.

Q: Does Cap affect page performance? A: The client widget is lightweight. Proof-of-work computation runs in the background and completes in milliseconds for normal users.

Sources

• https://github.com/tiagozip/cap