Cap: A Proof-of-Work CAPTCHA Alternative

Project Description

Cap is a lightweight, modern, open-source CAPTCHA alternative that utilizes SHA-256 proof-of-work. It aims to be a fast, private, and easy-to-integrate solution for verifying user authenticity, designed as a drop-in replacement for existing CAPTCHA systems with a focus on performance and user experience. Cap is built with JavaScript and runs on any JS runtime (Bun, Node.js, Deno). For non-JS environments, a standalone Docker image is available.

It consists of two main parts:

@cap.js/widget: A JavaScript library for rendering the CAPTCHA and solving challenges using Web Workers and WASM.
@cap.js/server: A zero-dependencies library for creating and validating challenges on the server-side.

Additional helpful packages and features include:

@cap.js/solver: A server-side solver for machine-to-machine interactions.
@cap.js/cli: A command-line interface for solving CAPTCHAs, primarily for testing or environments without JavaScript browser support.
Standalone mode: A Docker image providing a simple REST API and interactive UI for challenge creation/validation, allowing use with any language/framework.
@cap.js/wasm: Experimental WASM solvers built with Rust.
Checkpoint middleware: Libraries like @cap.js/checkpoint-hono, @cap.js/checkpoint-express, and @cap.js/middleware-elysia for a Cloudflare browser checkpoint-like experience.

Usage Instructions

Cap can be integrated by using its JavaScript libraries (@cap.js/widget and @cap.js/server) in JavaScript runtime environments. For non-JavaScript environments, the standalone Docker image provides a REST API for interaction. Detailed quickstart guides and full documentation are available via the project links.

Key Features

Lightweight: @cap.js/widget is only 12kb minified and brotli'd, making it 250x smaller than hCaptcha.
Private: Uses proof-of-work, eliminating the need for tracking, fingerprinting, or data collection.
Proof-of-Work (PoW): Employs SHA-256 PoW, making it easier for humans to solve (by performing a small computation) and harder for bots.
Fully Customizable: Self-hostable, allowing customization of both backend and frontend, or via CSS variables.
Standalone Mode: Docker image available for use with any programming language or framework via a simple REST API.
Invisible Mode: Can run invisibly in the background using a JavaScript API.
Floating Mode: CAPTCHA remains hidden until explicitly needed.
Fully Open-Source: Licensed under the Apache License 2.0.
No Dependencies: Built with JavaScript without external dependencies for core components.
Cross-runtime Compatibility: Runs on Bun, Node.js, Deno.
GDPR/CCPA Compliant: Its privacy-centric design naturally complies with these regulations.

Target Users

Cap is ideal for:

Developers and organizations looking for a CAPTCHA alternative focusing on privacy and performance.
Websites and applications needing to protect APIs from bots.
Online platforms aiming to prevent spam on forms.
Services requiring blocking of automated login attempts.
Projects needing to secure against free-tier abuse.

Project Links

GitHub Repository: https://github.com/tiagorangel1/cap
Documentation/Website: https://capjs.js.org/

Application Scenarios

API Protection: Securing REST APIs from automated requests and bot attacks.
Form Spam Prevention: Implementing CAPTCHA on contact forms, registration forms, and comment sections to prevent spam submissions.
Login Security: Adding a layer of protection against brute-force attacks and automated login attempts.
Preventing Free-Tier Abuse: Mitigating misuse of free services or limited resources by ensuring legitimate human interaction.
Cloudflare-like Checkpoints: Using provided middleware to create browser checkpoint experiences for enhanced security.