Cap

Self-hosted bot protection, honestly reviewed. No marketing fluff — just what you actually get when you stop renting protection from Google.

TL;DR

• What it is: Open-source (Apache 2.0) CAPTCHA replacement using SHA-256 proof-of-work and JavaScript instrumentation challenges — no images, no tracking, no third-party dependency [2][README].
• Who it’s for: Developers and technical founders who are done with reCAPTCHA’s Google data tax, hCaptcha’s paid tiers, or Cloudflare Turnstile’s lock-in. Requires self-hosting.
• Cost savings: reCAPTCHA is nominally free but costs you user data. hCaptcha’s commercial plans run $0–hundreds per month depending on volume. Cap self-hosted runs on any VPS for the cost of the server.
• Key strength: Brutally small footprint — ~20kb, zero dependencies, loads in milliseconds. The entire thing is 250x smaller than hCaptcha’s widget [README]. No cookies, no behavioral fingerprinting, no data sent anywhere.
• Key weakness: Proof-of-work is not a silver bullet. Sophisticated bot operators can solve SHA-256 challenges computationally. Cap’s instrumentation layer raises the bar significantly, but there are no independent third-party audits of its effectiveness in production at scale available at time of writing.

---

What is Cap

Cap is a CAPTCHA replacement that throws out the image-puzzle model entirely. Instead of asking users to click traffic lights or fire hydrants, it runs a SHA-256 proof-of-work computation in the browser — the client solves a cryptographic puzzle, submits the proof, and the server validates it. No images. No behavioral tracking. No request to Google’s or Cloudflare’s servers [README][2].

The project adds a second layer on top of pure proof-of-work called “instrumentation challenges.” These are JavaScript-based checks that analyze how the browser environment behaves — catching headless browsers, automated frameworks, and common scraping setups that can trivially solve hash puzzles but can’t fake a full browser fingerprint convincingly [2].

The pitch is straightforward: it’s a widget you drop onto your form that looks like a simple checkbox, verifies server-side against your own Cap backend, and sends zero data to any third party. The server component runs as a Docker container on your own infrastructure [2].

Cap sits at 5,105 GitHub stars as of this review. It’s an Apache 2.0 project — meaning you can use it, modify it, and embed it in commercial products without restriction [README]. The creator is tiago (tiago.zip), and the project earned the OpenSSF Best Practices badge, which requires meeting a checklist of security hygiene criteria [README].

---

Why People Choose It

Independent review coverage for Cap is thin — it’s a focused developer tool in a niche that doesn’t attract the “Zapier replacement” level of enthusiast content. What exists is mostly GitHub discussions and the project’s own documentation. That’s not a red flag by itself; it’s a younger project with a specific audience. But it does mean the “five-review synthesis” approach used for mature tools isn’t available here.

What is clear from the positioning: the decision to use Cap is almost always driven by one of three frustrations.

Frustration 1: Google’s data tax. reCAPTCHA is technically free. You pay with your users’ behavioral data — reCAPTCHA v3 continuously scores user behavior and that data flows to Google’s servers. For founders building products where user privacy is a selling point (legal tools, financial apps, healthcare adjacent), feeding form interaction data to Google is a problem. Cap sends nothing [README].

Frustration 2: hCaptcha’s pricing ceiling. hCaptcha has a free tier and a publisher reward program, but once you need guaranteed SLAs, advanced analytics, or higher volume thresholds, you’re looking at paid enterprise plans where pricing is contact-sales territory. Cap’s ceiling is your VPS bill.

Frustration 3: Cloudflare Turnstile’s dependency chain. Turnstile is free and privacy-respecting relative to reCAPTCHA, but it requires routing your traffic through Cloudflare or at minimum depending on their token validation endpoint. If Cloudflare has an incident, your CAPTCHAs stop working. Cap’s verification happens on your own infrastructure [2].

The technical differentiator that matters: Cap’s siteverify API is deliberately compatible with the reCAPTCHA siteverify format [2]. That means if you’ve already built reCAPTCHA integration, swapping to Cap requires changing the endpoint URL and secret — not rewriting your backend verification logic.

---

Features

Based on the official documentation and README:

Core challenge engine:

• SHA-256 proof-of-work challenges — computationally verifiable, no images or user judgment required [README]
• JavaScript instrumentation challenges — browser environment analysis that catches headless browsers and automation frameworks [2]
• Headless browser detection (optional, enabled per site key in the dashboard) [2]
• Programmatic mode — hide the widget entirely and solve challenges silently in the background, for flows where a visible widget would be disruptive [README]
• M2M (machine-to-machine) mode — protect APIs that legitimate automated clients need to access while blocking hostile bots [README]

Integration surface:

• Web widget (~20kb, zero dependencies) added via a single HTML element [README]
• data-cap-api-endpoint attribute routes the widget to your own instance [2]
• siteverify POST endpoint compatible with reCAPTCHA’s API format — existing integrations can swap with minimal code change [2]
• CSS variable customization for colors, size, position, and icons [README]
• Works across JavaScript runtimes — can embed in Next.js, plain HTML, or any framework [README]

Standalone server (self-hosted backend):

• Runs on Bun, ~50MB idle RAM [2]
• Docker Compose deployment with Valkey (Redis fork) for token storage [2]
• Web dashboard for managing multiple site keys [2]
• Analytics included in the dashboard [2]
• ADMIN_KEY authentication for dashboard access [2]

What’s missing or unclear:

• No hosted/managed cloud option mentioned in the docs — it’s self-host only
• No documented rate of false positives or effectiveness benchmarks against commercial alternatives (the docs link to an “effectiveness” guide, but detailed production metrics from independent tests are not publicly available)
• No team access controls or RBAC for the dashboard mentioned in documentation

---

Pricing: SaaS vs Self-Hosted Math

This is where Cap’s story is simple.

Cap (self-hosted):

• Software license: $0 (Apache 2.0) [README]
• VPS to run the Docker container: $4–10/mo (Hetzner, Contabo, DigitalOcean)
• Valkey (Redis fork): bundled in the Docker Compose file [2]

reCAPTCHA:

• Free — but you hand Google your users’ interaction data. Enterprise tier (reCAPTCHA Enterprise) charges per assessment past free-tier limits, running $1 per 1,000 assessments.

hCaptcha:

• Free tier available (with required completion of hCaptcha’s publisher program)
• Paid plans: pricing not publicly listed at scale; enterprise pricing is contact-sales

Cloudflare Turnstile:

• Free at current tiers, but tied to Cloudflare’s infrastructure

Concrete math for a typical web app: If you’re running hCaptcha or reCAPTCHA at low-to-medium volume, the monetary cost is near zero — the cost is in data sovereignty and vendor dependency, not dollars. Cap’s value proposition isn’t primarily about saving a monthly SaaS bill. It’s about owning the full stack: no third-party endpoint in your users’ critical path, no data leaving your infrastructure, no vendor to discontinue a free tier.

For teams actively paying for reCAPTCHA Enterprise or hCaptcha business plans, the math changes. A $6/mo Hetzner VPS running Cap Standalone replaces whatever that bill is. But if you’re on a free tier of a commercial CAPTCHA, Cap’s financial case is “infrastructure cost for control” rather than “cancel your subscription.”

---

Deployment Reality Check

The deployment path is documented and Docker-first [2]. Cap Standalone needs two containers: the Cap server and a Valkey instance. The Docker Compose file in the docs handles both.

What you need:

• A Linux VPS with enough RAM to spare ~50MB for Cap (any modern $4/mo VPS works)
• Docker and docker-compose
• A publicly reachable URL — the widget running in users’ browsers needs to reach your Cap instance directly [2]
• A reverse proxy (Caddy, nginx) if you want HTTPS, which you do for any production use
• A strong ADMIN_KEY (docs recommend 32+ characters) [2]

What can go sideways:

First, the public reachability requirement is a real constraint. If you’re running Cap behind a private network or aggressive firewall, the client-side widget can’t reach the backend. The docs note this explicitly: “Your Cap Standalone instance must be publicly reachable from the internet so the widget can communicate with it.” [2] This is the same constraint as any client-verified CAPTCHA, but it’s worth flagging for anyone who assumed all validation would happen server-to-server.

Second, instrumentation challenges are enabled by default and the docs recommend keeping them on [2]. This is the right call for bot resistance, but if you have users on unusual browsers, locked-down corporate environments, or aggressive privacy extensions that interfere with JavaScript execution, you should test your specific user population before committing to instrumentation-required mode.

Third, the project is maintained by a solo developer (tiago) as of this review. The OpenSSF badge and 5,105 stars suggest serious engineering discipline, but you should factor maintainer concentration risk into any long-term dependency decision.

Realistic time estimate for a developer: 30–45 minutes from a blank VPS to a working Cap instance with HTTPS and a configured site key. The Docker Compose approach is clean. If you’ve never used Docker Compose before: budget a full afternoon.

---

Pros and Cons

Pros

• Zero data to third parties. Cap sends no telemetry, behavioral data, or user information anywhere except your own server [README]. This is the clearest differentiator from reCAPTCHA and hCaptcha.
• Apache 2.0 license. Genuinely permissive — use it in commercial products, embed it in your SaaS, redistribute it. No “fair-code” restrictions, no commercial license required [README].
• Tiny footprint. ~20kb with zero dependencies versus hCaptcha’s 5MB+ widget. The performance difference on slow connections or mobile is measurable [README].
• reCAPTCHA-compatible siteverify API. If you’ve already written backend verification against reCAPTCHA’s API, migrating is a config change, not a rewrite [2].
• Instrumentation layer. Pure proof-of-work is trivially solvable by bots with GPU compute. Cap’s instrumentation challenges add browser environment analysis that raises the cost of bypassing significantly [2].
• Dashboard with analytics. The standalone server includes a web UI for managing site keys and viewing analytics — you’re not flying blind [2].
• M2M support. Most CAPTCHA alternatives fall apart when you need to protect an API that legitimate bots also need to access. Cap has a specific mode for this [README].
• OpenSSF Best Practices badge. Not a comprehensive security audit, but it signals the project meets a baseline of security hygiene standards [README].

Cons

• No independent effectiveness data. Cap’s own docs link to an effectiveness guide, but there are no published independent benchmarks, bypass success rates, or production case studies from large deployments available at time of writing. Commercial alternatives have years of adversarial testing at scale.
• Solo maintainer risk. A project this focused and this small is vulnerable to the maintainer losing interest. No organizational backing is visible.
• Self-host only. There’s no managed cloud option. If you want Cap, you run it. For non-technical founders, this is a real barrier.
• Proof-of-work has CPU cost. Legitimate users solve hash challenges on their devices. On mobile or low-powered hardware, this adds latency. Cap’s ~20kb widget size doesn’t offset this if the challenge difficulty is high.
• Headless browser detection is optional, not default. The instrumentation challenges are on by default; headless browser detection requires explicit opt-in per site key [2]. Easy to forget.
• No documented RBAC for dashboard. A single ADMIN_KEY controls the dashboard. No multi-user access, no read-only roles mentioned in the docs.
• Public endpoint required. Your Cap backend must be reachable from the internet — it can’t live on a purely internal network [2].
• No third-party review record. Limited external validation of how it performs against real bot traffic in production.

---

Who Should Use This / Who Shouldn’t

Use Cap if:

• You’re building something where sending user data to Google (reCAPTCHA) or Cloudflare (Turnstile) is a genuine problem — HIPAA-adjacent, legal, financial, or privacy-first products.
• You have a developer on the team (or are one yourself) who can manage a Docker container on a VPS.
• You’re already paying reCAPTCHA Enterprise or hCaptcha business-tier rates and want to cut the dependency.
• You need M2M protection for APIs that legitimate automated clients also use.
• You want to drop CAPTCHA verification into a product you’re reselling or embedding in other software — Apache 2.0 covers this.

Skip it (stay on Cloudflare Turnstile) if:

• You’re already behind Cloudflare and Turnstile is free. The privacy profile is better than reCAPTCHA, the integration is trivial, and adding another self-hosted service isn’t worth it unless you have a specific objection to Cloudflare.

Skip it (stay on reCAPTCHA free tier) if:

• Privacy isn’t a selling point for your product, you’re running low volume, and the free tier covers you. The data trade-off is real but not everyone’s problem.

Skip it entirely if:

• You’re non-technical and don’t have a developer relationship. Cap requires server management. There’s no “plug in your API key” option.
• Your threat model involves nation-state actors or well-funded bot farms with GPU clusters. Cap’s proof-of-work can be solved computationally at scale. No open-source CAPTCHA library is adequate for this threat level without additional layers.
• Your compliance framework requires audited, certified bot protection solutions with published SLAs.

---

Alternatives Worth Considering

• Cloudflare Turnstile — free, privacy-respecting relative to reCAPTCHA, trivial to integrate, but ties you to Cloudflare’s infrastructure. Best option if you’re already a Cloudflare customer.
• reCAPTCHA v3 — the default choice for most web apps. Free, mature, well-tested. The cost is data sent to Google. v3 is invisible (no user interaction) which improves UX but makes tuning the score threshold tricky.
• hCaptcha — reCAPTCHA alternative with a publisher reward program and better privacy posture than Google. Has a free tier. Commercial at scale.
• friendly-challenge — another proof-of-work CAPTCHA alternative, open source, similar philosophy to Cap but different implementation. Worth comparing if you’re evaluating this category.
• mCaptcha — self-hosted proof-of-work CAPTCHA, Rust-based, similar space as Cap. Fewer GitHub stars but a different tech stack if Bun/Node isn’t your preference.
• Honeypot fields — for low-threat environments, hidden form fields that bots fill and humans don’t are free, invisible, and require no third-party dependency. Not a replacement for serious bot traffic but often adequate for simple contact forms.

---

Bottom Line

Cap does one thing and does it cleanly: it gives you a self-hosted CAPTCHA backend that sends nothing to Google, Cloudflare, or anyone else, with a widget small enough that it won’t punish your Lighthouse scores. The Apache 2.0 license is genuinely open, the reCAPTCHA-compatible API makes migration non-painful, and the Docker Compose deployment is straightforward for anyone who’s managed a VPS before.

The honest limitations are the ones you’d expect from a 5K-star project with a solo maintainer: no independent effectiveness audits, no managed hosting option, no documented track record against sophisticated bot operations at scale. If you need “certified, SLA-backed bot protection with a published security disclosure process,” Cap isn’t there yet.

But if your actual problem is “I don’t want to feed user data to Google and I want to own my stack,” Cap is the cleanest self-hostable answer in this category right now. Deploy it in under an hour, skip the data tax, and stop paying for something you can run yourself for the cost of RAM on a server you probably already have.

If deploying and maintaining the Docker stack is the part you’d rather hand off, that’s a one-time engagement — exactly what upready.dev handles for founders who want the infrastructure without the ops.

---

Sources

1. Cap Standalone documentation — “Cap Standalone | Cap: Self-hosted CAPTCHA for the modern web.” capjs.js.org. https://capjs.js.org/guide/standalone/index.html

Primary sources:

• GitHub repository and README: https://github.com/tiagozip/cap (5,105 stars, Apache 2.0 license)
• Official website: https://capjs.js.org
• Effectiveness guide: https://capjs.js.org/guide/effectiveness.html
• Alternatives comparison: https://capjs.js.org/guide/alternatives.html
• OpenSSF Best Practices badge: https://www.bestpractices.dev/projects/9920