# tiagozip/cap **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/tiagozip-cap).** 6,980 stars · 480 forks · JavaScript · NOASSERTION ## Links - GitHub: https://github.com/tiagozip/cap - Homepage: https://trycap.dev - awesome-repositories: https://awesome-repositories.com/repository/tiagozip-cap.md ## Topics `anti-abuse` `anti-bot` `anti-scraper` `antispam` `captcha` `defense` `javascript` `proof-of-work` ## Description This project is a self-hosted bot protection service and CAPTCHA alternative that verifies human identity without relying on third-party tracking. It utilizes a combination of WebAssembly-based proof-of-work puzzles and browser instrumentation to distinguish humans from automated bots. The system is delivered as dockerized security middleware and a privacy-first verification API that operates without the use of cookies or user fingerprinting. The service differentiates itself by using GPU-resistant time-lock algorithms and instrumentation-based detection to identify headless browsers and automation frameworks. To prevent automated solvers from analyzing the verification process, it employs client-script obfuscation and control-flow flattening. The platform covers a broad range of security capabilities, including site credential management, origin-based request restrictions, and token validation to prevent challenge replays. It provides various integration methods, including visual bot challenge components, programmatic solvers for API-driven workflows, and a system for self-hosting frontend assets. The backend supports deployment via Docker images or serverless edge workers to reduce latency and maintain private verification infrastructure. ## Tags ### Security & Cryptography - [Self-Hosted Bot Protection](https://awesome-repositories.com/f/security-cryptography/self-hosted-bot-protection.md) — Offers a self-hosted, private alternative to reCAPTCHA for verifying human users. - [WebAssembly Proof-of-Work](https://awesome-repositories.com/f/security-cryptography/webassembly-proof-of-work.md) — Uses WebAssembly and Web Workers to execute computationally expensive puzzles that verify human presence. ([source](https://trycap.dev/guide/workings.html)) - [API Driven Bot Mitigation](https://awesome-repositories.com/f/security-cryptography/api-driven-bot-mitigation.md) — Provides a REST API to integrate bot challenges into custom workflows for endpoint protection. - [Bot Challenge Verifications](https://awesome-repositories.com/f/security-cryptography/bot-challenge-verifications.md) — Provides a web component that handles bot detection via proof-of-work and automatic form submission. ([source](https://trycap.dev/guide/)) - [Challenge Generation](https://awesome-repositories.com/f/security-cryptography/bot-challenge-verifications/challenge-generation.md) — Generates proof-of-work puzzles and instrumentation scripts that clients must solve for verification. ([source](https://trycap.dev/guide/capjs-core.html)) - [Browser Instrumentation Detection](https://awesome-repositories.com/f/security-cryptography/browser-instrumentation-detection.md) — Runs realm-escape and behavioral checks in sandboxed iframes to identify headless browsers. - [Browser Instrumentation Testing](https://awesome-repositories.com/f/security-cryptography/browser-instrumentation-testing.md) — Implements background JavaScript checks to identify headless browsers and automation frameworks. - [Browser Instrumentation Tools](https://awesome-repositories.com/f/security-cryptography/browser-instrumentation-tools.md) — Ships a detection engine that uses JavaScript environment checks to identify automated webdrivers. - [Challenge Solution Validations](https://awesome-repositories.com/f/security-cryptography/challenge-solution-validations.md) — Provides a process for verifying puzzle solutions and instrumentation fingerprints against signed tokens. ([source](https://trycap.dev/guide/capjs-core.html)) - [GPU-Resistant Algorithms](https://awesome-repositories.com/f/security-cryptography/gpu-resistant-algorithms.md) — Employs specialized time-lock algorithms to ensure proof-of-work puzzles are GPU-resistant. ([source](https://trycap.dev/guide/effectiveness)) - [Instrumentation Challenges](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/computational-access-challenges/traffic-interrogation-challenges/instrumentation-challenges.md) — Implements JavaScript environment checks to detect automated solvers and headless browsers. ([source](https://trycap.dev/guide/standalone/options.html)) - [Privacy-First Verification APIs](https://awesome-repositories.com/f/security-cryptography/privacy-first-verification-apis.md) — Implements a REST interface for validating bot-protection tokens without tracking user fingerprints. - [Privacy-Preserving Verifications](https://awesome-repositories.com/f/security-cryptography/privacy-preserving-utilities/privacy-preserving-verifications.md) — Verifies human presence without relying on cookies, user fingerprinting, or third-party data collection. ([source](https://trycap.dev/)) - [Standardized Bot Protection APIs](https://awesome-repositories.com/f/security-cryptography/standardized-bot-protection-apis.md) — Provides a bot protection API compatible with industry standards for seamless service migration. ([source](https://trycap.dev/)) - [GPU-Resistant Puzzles](https://awesome-repositories.com/f/security-cryptography/time-locked-operations/time-locked-schedulers/gpu-resistant-puzzles.md) — Employs specialized GPU-resistant time-lock algorithms to ensure proof-of-work remains expensive for accelerators. - [User Privacy Protection](https://awesome-repositories.com/f/security-cryptography/user-privacy-protection.md) — Ensures human verification without using cookies, fingerprinting, or external data collection. - [WASM Proof-of-Work Puzzles](https://awesome-repositories.com/f/security-cryptography/wasm-proof-of-work-puzzles.md) — Executes computationally expensive puzzles in parallel using WebAssembly and Web Workers. - [Accessible Verifications](https://awesome-repositories.com/f/security-cryptography/accessible-verifications.md) — Implements bot protection that meets global accessibility standards without requiring visual puzzles. ([source](https://trycap.dev/guide/compliance.html)) - [API Key Management](https://awesome-repositories.com/f/security-cryptography/api-key-management.md) — Provides a system for creating and organizing authentication keys to authorize programmatic requests. ([source](https://trycap.dev/guide/standalone/api.html)) - [Challenge Replay Preventions](https://awesome-repositories.com/f/security-cryptography/challenge-replay-preventions.md) — Uses signature-based tokens to ensure challenges are solved only once and block response reuse. ([source](https://trycap.dev/guide/effectiveness.html)) - [Control Flow Obfuscations](https://awesome-repositories.com/f/security-cryptography/control-flow-obfuscations.md) — Implements control-flow flattening to hinder analysis by automated bot solvers. - [Cross-Origin Security Policies](https://awesome-repositories.com/f/security-cryptography/cross-origin-security-policies.md) — Implements origin-based request restrictions to define which domains can generate or redeem challenges. ([source](https://trycap.dev/guide/standalone/options.html)) - [Origin Validators](https://awesome-repositories.com/f/security-cryptography/cross-origin-security-policies/origin-validators.md) — Validates the origin of incoming requests to control which domains can generate or redeem challenges. - [Bot Detection Sandboxes](https://awesome-repositories.com/f/security-cryptography/iframe-sandboxing/bot-detection-sandboxes.md) — Implements specialized tasks in sandboxed iframes to distinguish human users from automated bots. ([source](https://trycap.dev/guide/workings.html)) - [Programmatic Challenge Solvers](https://awesome-repositories.com/f/security-cryptography/programmatic-challenge-solvers.md) — Enables triggering proof-of-work challenges via API and tracking progress with event listeners. ([source](https://trycap.dev/guide/programmatic.html)) - [Proof-of-Work Configurations](https://awesome-repositories.com/f/security-cryptography/proof-of-work-configurations.md) — Provides a system for selecting puzzle types and tuning computational difficulty per site key. ([source](https://trycap.dev/guide/standalone/options.html)) - [Backend Security Middleware](https://awesome-repositories.com/f/security-cryptography/security/application-and-web/web-application/backend-security-middleware.md) — Provides containerized security middleware for managing site keys and verifying human identity. - [Token Validation](https://awesome-repositories.com/f/security-cryptography/security/policies/token-validation.md) — Uses signed tokens to ensure each challenge is solved only once and prevent response reuse. - [Site Credential Management](https://awesome-repositories.com/f/security-cryptography/site-credential-management.md) — Ships a dashboard for generating public site keys and private secret keys to protect multiple websites. ([source](https://trycap.dev/guide/)) - [Site Key Organization](https://awesome-repositories.com/f/security-cryptography/site-key-organization.md) — Provides a web dashboard to organize unique identifiers used to secure different websites. ([source](https://trycap.dev/guide/standalone/)) ### Part of an Awesome List - [Captcha Alternatives](https://awesome-repositories.com/f/awesome-lists/devtools/captcha-alternatives.md) — Provides a privacy-focused alternative to CAPTCHAs using proof-of-work and browser instrumentation. - [Proof-of-Work](https://awesome-repositories.com/f/awesome-lists/security/bot-protection/proof-of-work.md) — Uses WebAssembly-based proof-of-work puzzles to prevent automated request spam. ### DevOps & Infrastructure - [Private Infrastructure Hosting](https://awesome-repositories.com/f/devops-infrastructure/private-infrastructure-hosting.md) — Supports a deployment model that keeps all user data and verification processes within private infrastructure. ([source](https://trycap.dev/guide/compliance.html)) - [Docker Container Deployments](https://awesome-repositories.com/f/devops-infrastructure/container-orchestration/container-runtimes/runtime-configuration-interfaces/docker-socket-orchestrators/docker-target-configurators/docker-container-deployments.md) — Provides a containerized backend image for simplified deployment and scaling of the security middleware. ([source](https://trycap.dev/guide/standalone/)) - [Edge Network Deployment](https://awesome-repositories.com/f/devops-infrastructure/edge-network-deployment.md) — Supports deployment to edge-optimized cloud platforms to reduce latency and scale globally. ([source](https://trycap.dev/guide/community.html)) - [Edge Deployments](https://awesome-repositories.com/f/devops-infrastructure/worker-deployment-inspection/cloudflare-workers-deployments/edge-deployments.md) — Supports deploying verification logic to serverless edge networks for global low-latency execution. ### Web Development - [Automated Browser Detection](https://awesome-repositories.com/f/web-development/web-automation-frameworks/automated-browser-detection.md) — Employs behavioral and realm-escape checks to identify headless browsers and automation frameworks. ([source](https://trycap.dev/guide/capjs-core.html)) - [Self-Hosted Frontend Assets](https://awesome-repositories.com/f/web-development/self-hosted-frontend-assets.md) — Provides a dedicated endpoint for serving widget and WebAssembly files to eliminate external CDN reliance. ([source](https://trycap.dev/guide/standalone/options.html)) - [Web Framework Integrations](https://awesome-repositories.com/f/web-development/web-framework-integrations.md) — Offers adapters and middleware for embedding bot protection widgets into various web frameworks. ([source](https://trycap.dev/guide/community.html)) ### Testing & Quality Assurance - [WebDriver Detection](https://awesome-repositories.com/f/testing-quality-assurance/automation-interaction-tools/webdriver-detection.md) — Executes environment checks to identify and block requests originating from automated browser tools and stealth webdrivers. ([source](https://trycap.dev/guide/instrumentation.html)) ### User Interface & Experience - [Environment Verifications](https://awesome-repositories.com/f/user-interface-experience/browser-environment-detection/environment-verifications.md) — Uses dynamically generated JavaScript programs to confirm the existence of a genuine user environment. ([source](https://trycap.dev/guide/instrumentation.html))