Cap
Self-hosted CAPTCHA without Google, tracking, and visual puzzles
AI Summary
Cap is a self-hosted CAPTCHA alternative to reCAPTCHA and hCaptcha that works completely without visual puzzles, tracking, and third-party services. The tool uses Proof-of-Work (SHA-256) and browser instrumentation for bot detection and is extremely lightweight at only 20kb. Cap is open source (Apache 2.0), GDPR-compliant, and can be run on any server with a Docker container.
✓ Pros
- + Fully self-hosted without external dependencies or tracking
- + Open source (Apache 2.0) and extremely small (20kb vs. 600kb+ for hCaptcha)
- + No visual puzzles, GDPR-compliant, and compatible with reCAPTCHA APIs
✗ Cons
- − Requires own server infrastructure and technical setup (Docker)
- − No cloud solution with immediate use like commercial providers
Use Cases
- → Form protection on websites without sending data to Google or Cloudflare
- → API protection against automated abuse while maintaining a whitelist for trusted clients
- → GDPR-compliant bot defense for European websites and SaaS applications
- → Migration from reCAPTCHA/hCaptcha to a self-hosted privacy-first solution
Who is it for?
Developers and website operators seeking privacy-friendly bot defense without third-party tracking and willing to operate their own infrastructure.
Tags
What is Cap?
Cap is a self-hosted CAPTCHA alternative to reCAPTCHA and hCaptcha. Instead of visual puzzles, Cap uses Proof-of-Work (SHA-256) and browser instrumentation to distinguish bots from human traffic. The entire system runs on your own infrastructure, with no data sent to Google, Cloudflare or any other third party. Cap is open source under Apache 2.0 and, at 20kb, considerably lighter than hCaptcha, which weighs in at over 600kb.
Core features
- Proof-of-Work verification via SHA-256 combined with browser instrumentation for bot detection, without presenting users with image puzzles
- Fully self-hosted via Docker container, with no external dependencies or callbacks to third-party services
- GDPR compliance through the absence of any tracking and the processing of personal data outside your own infrastructure
- API compatibility with reCAPTCHA, which simplifies migrating existing integrations
- Whitelist functionality for trusted clients when protecting APIs against automated abuse
Who is Cap for?
Cap is aimed at developers and website operators who want to replace existing CAPTCHA services because the tracking model of reCAPTCHA or hCaptcha does not suit them. It is particularly relevant for European SaaS products and websites where data protection authorities scrutinise the use of external services. A prerequisite is your own server infrastructure. Without Docker knowledge, setup becomes a hurdle. There is no cloud option with a ready-to-use endpoint.
Context & alternatives
Cap belongs to the growing category of privacy-first security tools that replace commercial services with self-hosted alternatives. Direct alternatives are hCaptcha and Google reCAPTCHA, both cloud-based and tied to tracking. Friendly Captcha also offers a Proof-of-Work approach but operates as a hosted service. Those who need full data control on their own infrastructure and are willing to run a Docker setup will find Cap the more consistent choice.
