hCaptcha

Best Self Hosted Alternatives to hCaptcha

A curated collection of the 4 best self hosted alternatives to hCaptcha.

hCaptcha is a CAPTCHA and bot-detection SaaS that provides challenge-based human verification, risk scoring and bot mitigation for websites and apps, offering privacy-focused data handling, analytics and integration options.

Alternatives List

#1
Anubis

Anubis

Anubis is a lightweight web AI firewall that protects sites from AI crawlers and scraping bots using configurable request challenges and bot policies.

Anubis screenshot

Anubis is a lightweight web AI firewall utility that protects upstream websites from high-volume scraper bots, especially AI crawlers. It sits in front of your origin and uses one or more challenges to decide whether to allow a request through.

Key Features

  • Challenge-based request gating to deter automated scraping and crawler traffic
  • Designed to be lightweight and affordable to run in front of community sites and small services
  • Configurable bot policies for allowlisting or blocking specific clients (including “good bots”)
  • Acts as a standalone alternative for environments where a hosted reverse-proxy security service is not desired

Use Cases

  • Protecting personal sites, forums, and small communities from aggressive AI crawler traffic
  • Adding an anti-scraping layer in front of an origin server to reduce load and bandwidth costs
  • Enforcing access rules for known bots and automated clients via explicit allow/deny policies

Limitations and Considerations

  • Can be a disruptive (“nuclear”) approach that may block smaller scrapers and potentially useful crawlers unless explicitly allowlisted

Anubis is best suited for operators who need a self-managed, challenge-based front door for HTTP traffic and want fine control over which automated clients are permitted. When tuned with sensible policies, it can help balance discoverability with uptime protection.

16.2kstars
478forks
View Details
#2
Cap

Cap

Lightweight, self-hostable CAPTCHA alternative using SHA-256 proof-of-work challenges to protect forms and APIs from bots without tracking or visual puzzles.

Cap is a lightweight, privacy-preserving CAPTCHA alternative that uses SHA-256 proof-of-work challenges instead of image puzzles. It is designed to be fast to load, accessible, and simple to integrate into modern websites and APIs without user tracking.

Key Features

  • Proof-of-work challenge system based on SHA-256 (no visual CAPTCHA puzzles)
  • Very small client footprint with no external dependencies
  • Privacy-first design with no telemetry sent to third parties
  • Highly customizable widget styling via CSS variables
  • Invisible mode to run challenges in the background
  • Machine-to-machine (M2M) friendly flows to protect APIs while allowing trusted automation
  • Standalone deployment option via container for running Cap as a service (with extra operational features such as analytics)

Use Cases

  • Protecting public web forms (login, signup, contact forms) from spam and automated abuse
  • Adding bot mitigation to API endpoints while keeping UX minimal for legitimate users
  • Replacing traditional CAPTCHA providers in privacy-sensitive or compliance-focused environments

Limitations and Considerations

  • Proof-of-work increases client CPU usage, which can impact low-power devices; difficulty tuning may be required
  • Not ideal for defending against attackers with substantial compute resources without additional rate-limiting and abuse controls

Cap provides a practical, modern approach to bot protection by shifting verification from user interaction to lightweight computation. It works well for teams that want a fast, customizable, privacy-respecting alternative to traditional CAPTCHA widgets.

4.8kstars
253forks
View Details
#3
mosparo

mosparo

Accessible, rule-based spam protection for web forms that inspects form fields, stores minimal data encrypted, and auto-deletes entries after 14 days.

mosparo screenshot

mosparo is a self-hosted, rule-based spam protection system for web forms that detects spam by evaluating form field content rather than forcing users to solve CAPTCHAs. It focuses on accessibility, data minimization, and privacy while providing configurable rules to block unwanted submissions.

Key Features

  • Rule-based spam detection that inspects individual form fields for disallowed words, patterns, or content
  • Collects only form data, client IP, and user agent; data is encrypted or hashed before storage
  • Automatic data retention policy that deletes stored form entries after approximately 14 days
  • Accessible UX: no image puzzles or obscure interactions, compatible with screen readers and keyboard navigation
  • Customizable checkbox widget for embedding and styling to match sites
  • Supports multiple storage backends (MySQL/MariaDB, PostgreSQL, SQLite) and optional caching (Redis/Memcached)
  • Lightweight PHP implementation with frontend assets built via Node tooling

Use Cases

  • Protecting contact, comment, and signup forms from automated spam without degrading accessibility
  • Integrating a privacy-focused spam filter into existing web apps or CMS forms
  • Centralizing form-protection rules for multiple sites or forms on a single self-hosted instance

Limitations and Considerations

  • Detection effectiveness depends on rule quality and coverage; additional tuning is often required to reach high block rates
  • Not a behavioral CAPTCHA replacement for highly sophisticated bot farms; may need complementary defenses for advanced attacks

mosparo is a practical, privacy-oriented alternative to traditional CAPTCHAs that emphasizes accessibility and configurability for site operators seeking a self-hosted spam protection solution.

263stars
16forks
View Details
#4
Private Captcha

Private Captcha

Privacy-first, GDPR-focused self-hosted Proof-of-Work CAPTCHA for forms and APIs with an adaptive lightweight widget and Postgres/ClickHouse backend.

Private Captcha screenshot

Private Captcha is a privacy-first, EU-made proof-of-work CAPTCHA service designed for self-hosting or managed deployment. It replaces third-party tracking CAPTCHAs with a client-side puzzle approach that avoids end-user tracking and personal data collection.

Key Features

  • Proof-of-Work (PoW) challenges that shift computational cost to the client instead of behavioural tracking
  • Adaptive difficulty scaling that adjusts challenge complexity in real time
  • Lightweight, customizable widget with an invisible mode and multiple visual themes and localizations
  • Privacy- and GDPR-focused design: no end-user tracking, no cookies, minimal PII processing
  • Backend usage statistics and operational metrics for domains and accounts
  • RESTful platform API for automating organization and domain management
  • Built with a Go backend and a JavaScript widget; uses PostgreSQL for business data and ClickHouse for operational analytics
  • Optimized for low resource requirements and high-throughput environments

Use Cases

  • Protect web forms and API endpoints from automated bots, spam, and scraping without third-party tracking
  • Replace commercial CAPTCHA providers to meet GDPR/CCPA compliance and legal requirements
  • Deploy on-premises or in EU-only infrastructure for privacy-focused organizations and projects

Limitations and Considerations

  • Community edition is distributed under a PolyForm Noncommercial License; commercial use requires a paid license
  • Proof-of-Work places CPU cost on clients and may impact low-power devices or increase client energy usage
  • Requires running backend components (PostgreSQL and ClickHouse) which adds operational overhead compared to fully managed SaaS-only solutions

Private Captcha is a focused alternative to mainstream CAPTCHA services for organizations that need privacy-preserving, self-hostable bot protection. It emphasizes configurable difficulty, minimal tracking, and integrations for protecting forms and APIs.

137stars
5forks
View Details

Why choose an open source alternative?

  • Data ownership: Keep your data on your own servers
  • No vendor lock-in: Freedom to switch or modify at any time
  • Cost savings: Reduce or eliminate subscription fees
  • Transparency: Audit the code and know exactly what's running