Cap

This project is a self-hosted bot protection service and CAPTCHA alternative that verifies human identity without relying on third-party tracking. It utilizes a combination of WebAssembly-based proof-of-work puzzles and browser instrumentation to distinguish humans from automated bots. The system is delivered as dockerized security middleware and a privacy-first verification API that operates without the use of cookies or user fingerprinting.

The service differentiates itself by using GPU-resistant time-lock algorithms and instrumentation-based detection to identify headless browsers and automation frameworks. To prevent automated solvers from analyzing the verification process, it employs client-script obfuscation and control-flow flattening.

The platform covers a broad range of security capabilities, including site credential management, origin-based request restrictions, and token validation to prevent challenge replays. It provides various integration methods, including visual bot challenge components, programmatic solvers for API-driven workflows, and a system for self-hosting frontend assets.

The backend supports deployment via Docker images or serverless edge workers to reduce latency and maintain private verification infrastructure.

Features

Self-Hosted Bot Protection - Offers a self-hosted, private alternative to reCAPTCHA for verifying human users.

WebAssembly Proof-of-Work - Uses WebAssembly and Web Workers to execute computationally expensive puzzles that verify human presence.

Captcha Alternatives - Provides a privacy-focused alternative to CAPTCHAs using proof-of-work and browser instrumentation.

Proof-of-Work - Uses WebAssembly-based proof-of-work puzzles to prevent automated request spam.

Private Infrastructure Hosting - Supports a deployment model that keeps all user data and verification processes within private infrastructure.

API Driven Bot Mitigation - Provides a REST API to integrate bot challenges into custom workflows for endpoint protection.

Bot Challenge Verifications - Provides a web component that handles bot detection via proof-of-work and automatic form submission.

Challenge Generation - Generates proof-of-work puzzles and instrumentation scripts that clients must solve for verification.

Browser Instrumentation Detection - Runs realm-escape and behavioral checks in sandboxed iframes to identify headless browsers.

Browser Instrumentation Testing - Implements background JavaScript checks to identify headless browsers and automation frameworks.

Browser Instrumentation Tools - Ships a detection engine that uses JavaScript environment checks to identify automated webdrivers.

Challenge Solution Validations - Provides a process for verifying puzzle solutions and instrumentation fingerprints against signed tokens.

GPU-Resistant Algorithms - Employs specialized time-lock algorithms to ensure proof-of-work puzzles are GPU-resistant.

Instrumentation Challenges - Implements JavaScript environment checks to detect automated solvers and headless browsers.

Privacy-First Verification APIs - Implements a REST interface for validating bot-protection tokens without tracking user fingerprints.

Privacy-Preserving Verifications - Verifies human presence without relying on cookies, user fingerprinting, or third-party data collection.

Standardized Bot Protection APIs - Provides a bot protection API compatible with industry standards for seamless service migration.

GPU-Resistant Puzzles - Employs specialized GPU-resistant time-lock algorithms to ensure proof-of-work remains expensive for accelerators.

User Privacy Protection - Ensures human verification without using cookies, fingerprinting, or external data collection.

WASM Proof-of-Work Puzzles - Executes computationally expensive puzzles in parallel using WebAssembly and Web Workers.

Automated Browser Detection - Employs behavioral and realm-escape checks to identify headless browsers and automation frameworks.

Docker Container Deployments - Provides a containerized backend image for simplified deployment and scaling of the security middleware.

Edge Network Deployment - Supports deployment to edge-optimized cloud platforms to reduce latency and scale globally.

Edge Deployments - Supports deploying verification logic to serverless edge networks for global low-latency execution.

Accessible Verifications - Implements bot protection that meets global accessibility standards without requiring visual puzzles.

API Key Management - Provides a system for creating and organizing authentication keys to authorize programmatic requests.

Challenge Replay Preventions - Uses signature-based tokens to ensure challenges are solved only once and block response reuse.

Control Flow Obfuscations - Implements control-flow flattening to hinder analysis by automated bot solvers.

Cross-Origin Security Policies - Implements origin-based request restrictions to define which domains can generate or redeem challenges.

Origin Validators - Validates the origin of incoming requests to control which domains can generate or redeem challenges.

Bot Detection Sandboxes - Implements specialized tasks in sandboxed iframes to distinguish human users from automated bots.

Programmatic Challenge Solvers - Enables triggering proof-of-work challenges via API and tracking progress with event listeners.

Proof-of-Work Configurations - Provides a system for selecting puzzle types and tuning computational difficulty per site key.

Backend Security Middleware - Provides containerized security middleware for managing site keys and verifying human identity.

Token Validation - Uses signed tokens to ensure each challenge is solved only once and prevent response reuse.

Site Credential Management - Ships a dashboard for generating public site keys and private secret keys to protect multiple websites.

Site Key Organization - Provides a web dashboard to organize unique identifiers used to secure different websites.

WebDriver Detection - Executes environment checks to identify and block requests originating from automated browser tools and stealth webdrivers.

Environment Verifications - Uses dynamically generated JavaScript programs to confirm the existence of a genuine user environment.

Self-Hosted Frontend Assets - Provides a dedicated endpoint for serving widget and WebAssembly files to eliminate external CDN reliance.

Web Framework Integrations - Offers adapters and middleware for embedding bot protection widgets into various web frameworks.

tiagozipcap

Features

Star history