← Use cases

Block Comment Spam Without Setting a Single Cookie

GDPR-friendly stack: a proof-of-work CAPTCHA plus honeypots plus rate limiting. Real numbers on what each layer catches.

  1. STEP 1

    Pick a no-cookie proof-of-work CAPTCHA

    Friendly Captcha is the easiest hosted option (€9/mo, EU-hosted, no setup beyond an API key). ALTCHA is the easiest self-hosted option (MIT licensed, single JavaScript widget plus a small server library, free). Both run a hash puzzle in the visitor's browser, take 300-800ms on a modern phone, and don't set any cookies or transmit fingerprinting data. The difference: Friendly Captcha gives you a dashboard with abuse signals; ALTCHA gives you nothing managed but also nothing to depend on.

  2. STEP 2

    Add a honeypot field as a free first layer

    Add a hidden form field named something a bot script will fill but a human won't see (the classic name is 'url' or 'website'). Hide it with CSS (display:none plus visibility:hidden plus tabindex=-1). Reject any submission where this field is non-empty. This catches roughly 60-70% of the dumbest spam bots for zero cost. Honeypots compound well with a real CAPTCHA: spam bots that pass the CAPTCHA still fail the honeypot half the time.

  3. STEP 3

    Rate-limit at the edge or in your app

    Cap submissions per IP at 5 per hour for comments and 20 per hour for general forms. Cloudflare's free WAF rate-limiting rule does this in two clicks if you're on Cloudflare. Otherwise, use Redis or your database (a row per IP per hour, increment, reject above the cap). Rate limiting catches the bots that script around the CAPTCHA by reusing one solution across requests, and it costs nothing for legitimate users.

  4. STEP 4

    Log failed submissions and review weekly

    Write every rejected submission (CAPTCHA fail, honeypot trigger, rate limit) to a small log table or file with timestamp, IP, and rejection reason. Spend 10 minutes a week skimming it. You'll spot patterns like one bot retrying every hour, or a particular user agent string spiking. Most weekly reviews surface a single signal you can add to your WAF or honeypot, and over a few months your false positive rate stays under 0.1%.

Recommended tools

Friendly Captcha
Friendly Captcha GmbH · Proprietary (server) + Apache 2.0 (widget)
ALTCHA
Daniel Regeci / community · MIT
mCaptcha
mCaptcha community · AGPL-3.0