Self-Host a CAPTCHA for an Internal or Privacy-Critical Tool

When sending visitor data to a third party is unacceptable (regulated industry, internal tools, paranoid security teams), self-hosting is the only acceptable option. Pick between ALTCHA, mCaptcha, and Friendly Captcha Business.

1. STEP 1

   Choose ALTCHA for the simplest possible deployment

   ALTCHA is MIT-licensed and ships as a 10KB JavaScript widget plus a tiny server library in Node, Go, Python, PHP, Ruby, and several others. There's no database, no daemon, no setup beyond importing the library. The server generates a random challenge and verifies the response. For internal tools, low-volume forms, and projects where you don't want to operate any new infrastructure, ALTCHA is the clear winner. The tradeoff: no shared threat data, so determined attackers with enough CPU can solve the proof-of-work too.

2. STEP 2

   Choose mCaptcha if you actually expect DDoS attempts

   mCaptcha is AGPL-licensed and designed for application-layer DDoS mitigation, not just spam. It runs as a Rust binary backed by Postgres and auto-adjusts puzzle difficulty when load spikes. For internal tools that face periodic abuse waves (think login portals after a data leak announcement), mCaptcha's adaptive difficulty is genuinely valuable. The tradeoff: AGPL is not compatible with most enterprise legal reviews, and you need to run Postgres.

3. STEP 3

   Choose Friendly Captcha Business for a managed-feel + self-hosted setup

   If your team wants the dashboard, analytics, and SLA of a managed service but the data isolation of self-hosting, Friendly Captcha's Business tier (~€240/mo) is the only product in this category. You get a Docker image to run on your infrastructure plus a paid license that includes their server tuning expertise. The cost is real but justified for regulated industries (healthcare, finance) where 'we self-host but pay the vendor for the right blocklists' is the procurement-friendly story.

4. STEP 4

   Run a load test before going live

   Self-hosted CAPTCHAs scale linearly with your CPU budget for proof-of-work verification. Before launching on a critical form, load-test your CAPTCHA server with 10x your peak expected traffic. ALTCHA and mCaptcha both verify in under 5ms per request on commodity hardware, so this is usually fine, but you want the data before a real spike. Set up alerts on verification latency and queue depth so you notice degradation before users do.