mCaptcha is a self-hosted CAPTCHA written in Rust that uses proof-of-work to rate-limit abusive traffic. The visitor’s browser computes a short puzzle before a request goes through, so a flood of automated requests becomes slow and costly. It does not track or profile visitors, and the core is licensed under the AGPL.
Reviewed by Marcus Holmberg
Rate mCaptcha: No account needed
Threat level
Hardened
A hardened pick. Worth the effort once you have chosen to shrink your footprint on purpose. Enough for most people. Threat levels
Our take
mCaptcha takes the same privacy-respecting approach as ALTCHA and aims it squarely at flood protection: it does not use a visitor’s IP address to rate-limit and it builds no profile, while every check stays on infrastructure you control. For a webmaster who already self-hosts and is comfortable on the command line, the lightweight Rust backend is a clean fit. The catch is twofold. The ecosystem is smaller than the bigger names, so you lean on the project’s own docs, and there is no managed tier, so you own the deployment and its upkeep. Pick it if you run your own stack and want spam control with zero visitor tracking. Skip it if you need a drop-in widget someone else hosts.
Website at a glance
mcaptcha.org
D score 30
Weak website security headers
Graded by Mozilla HTTP Observatory, tested today
Inspect this site yourself
Measures the security configuration of the tool's own website, not the privacy of the product itself. A strong tool can still score low here.
mCaptcha alternatives
* Average ratings will show on this page once the threshold of 5 ratings is reached.