Is ALTCHA actually private?

Yes. It sets no cookies and does no fingerprinting, so it sends no visitor data to a third party. The puzzle is solved in the browser and checked on your own server, which leaves no profile to leak and nothing to disclose in your privacy policy.

How does ALTCHA stop bots without making people solve images?

It asks the visitor's browser to compute a small proof-of-work puzzle in the background before the form submits. A real visitor never notices the short delay. A spammer trying to blast thousands of requests pays that cost on every one, which is what makes mass abuse expensive.

Do I have to self-host ALTCHA?

The widget and server library are open source and built to run on your own infrastructure, which is the configuration we recommend because no visitor data ever leaves your server. The project also offers a hosted option if you would rather not run the backend yourself.

Reviewed by Gabriel Bachmann

ALTCHA

altcha.org

No ratings yet. Be the first.

GitHub Website →

GitHub

Website →

CAPTCHA & Bots Open Source No account Self-hosted Web Free

Rate ALTCHA:

No account needed

ALTCHA is a CAPTCHA you run on your own server. Instead of asking a visitor to read distorted text or click images, it has the browser solve a short proof-of-work puzzle in the background and verifies it server-side. It sets no cookies and does no fingerprinting. The code is released under the permissive MIT license.

Threat level

Covered

A covered pick. Anyone can use it as a private drop-in, with no setup or know-how. Enough for most people. Threat levels

Our take

ALTCHA is our default pick because it gets spam protection without handing your visitors to anyone: the work happens in their browser and the check happens on your server, so nothing about them is logged. For a webmaster that means a CAPTCHA you can drop in without a consent prompt, since there is no tracking to consent to. The honest catch is what proof-of-work is and is not. It makes mass spam expensive by charging compute on every request, but it is no wall against a determined attacker who targets you specifically and will pay that cost. Pick it for a contact form or signup where you want to stop the flood without watching your readers. Reach for layered defenses against a focused, well-resourced adversary.

Website at a glance

altcha.org

B score 70

Solid website security headers

Graded by Mozilla HTTP Observatory, tested today

Inspect this site yourself

Mozilla Observatory web-check urlscan.io SSL Labs Security Headers

Measures the security configuration of the tool's own website, not the privacy of the product itself. A strong tool can still score low here.

ALTCHA alternatives

Friendly Captcha Invisible, managed CAPTCHA from Germany. Uses background proof-of-work and no cookies, so visitors never solve a puzzle.

mCaptcha Self-hosted, proof-of-work CAPTCHA written in Rust. Rate-limits abusive traffic without tracking or profiling your visitors.

Frequently asked

Is ALTCHA actually private?: Yes. It sets no cookies and does no fingerprinting, so it sends no visitor data to a third party. The puzzle is solved in the browser and checked on your own server, which leaves no profile to leak and nothing to disclose in your privacy policy.
How does ALTCHA stop bots without making people solve images?: It asks the visitor's browser to compute a small proof-of-work puzzle in the background before the form submits. A real visitor never notices the short delay. A spammer trying to blast thousands of requests pays that cost on every one, which is what makes mass abuse expensive.
Do I have to self-host ALTCHA?: The widget and server library are open source and built to run on your own infrastructure, which is the configuration we recommend because no visitor data ever leaves your server. The project also offers a hosted option if you would rather not run the backend yourself.

* Average ratings will show on this page once the threshold of 5 ratings is reached.