How I Stopped Form Spam Without reCAPTCHA

Zeke — Wed, 08 Apr 2026 11:39:31 +0000

Google reCAPTCHA started charging after 10k assessments per month. hCaptcha tanks conversion rates with those "click every bus" puzzles. Turnstile locks you into Cloudflare's ecosystem. I got tired of picking between surveillance, vendor lock-in, and a monthly bill just to keep bots off a contact form.

So I built a CAPTCHA that uses proof-of-work instead. No tracking. No cookies. No external dependencies. Self-hosted. Here's how it works and how to add it to any site in about five minutes.

The Problem With Every CAPTCHA

Let's be real about what happened to the CAPTCHA landscape:

reCAPTCHA was free for years, and that made it the default. Then Google introduced reCAPTCHA Enterprise pricing and capped the free tier at 10,000 assessments per month. For a side project getting moderate traffic, you're now paying Google to protect a contact form. And the whole time, reCAPTCHA is collecting behavioral data, setting cookies, and phoning home to Google's servers. If you care about GDPR compliance, that's a headache you didn't sign up for.

hCaptcha markets itself as the privacy alternative, but it still fingerprints browsers and runs third-party JavaScript. And those image labeling tasks? They're literally training ML models. Your users are doing free labor for a company they've never heard of.

Cloudflare Turnstile is genuinely better on the UX front, but it ties you to Cloudflare's infrastructure. If you're self-hosting on a VPS or running behind a different CDN, that dependency starts to chafe.

What all these solutions share: they're SaaS products that run someone else's JavaScript on your page, phone home to someone else's servers, and make you dependent on someone else's uptime.

What if the Browser Just Did Math Instead?

The idea behind proof-of-work CAPTCHAs is simple. Instead of asking "click all the traffic lights," you ask the browser to compute SHA-256 hashes until it finds one with a specific number of leading zero bits. At the default difficulty of 16 bits, that's roughly 65,000 hashes, which takes about 4 seconds on average hardware.

Bots can do this too. That's the honest truth. But here's the thing: it costs them real CPU time per request. A bot that wants to submit your form 10,000 times has to burn 10,000 * 4 seconds of compute. That's an economic deterrent, not a Turing test. Same principle as Bitcoin mining, just at a much smaller scale.

No tracking. No cookies. No network requests to third parties. No behavioral profiling. The browser does math, proves it did the math, and moves on.

I'm not the first person to think of this. ALTCHA does something similar. But I wanted something with zero dependencies, a smaller footprint, and the option to let users skip the wait by paying a Lightning micropayment (more on that later).

Adding PoW CAPTCHA to a Form

Here's the practical part. I'll show you how to add this to an existing HTML form using @powforge/captcha.

Step 1: Add the Script

One script tag. No build step required.

<script src="https://unpkg.com/@powforge/captcha/dist/powforge-captcha.min.js"></script>

That's about 5KB gzipped. Compare that to reCAPTCHA's ~150KB.

Step 2: Drop the Widget Into Your Form

<form action="/submit" method="POST">
  <label for="email">Email</label>
  <input type="email" name="email" id="email" required>

  <label for="message">Message</label>
  <textarea name="message" id="message" required></textarea>

  <!-- PoW CAPTCHA mounts here -->
  <div id="pow-captcha"></div>
  <input type="hidden" name="pf_token">

  <button type="submit">Send</button>
</form>

<script src="https://unpkg.com/@powforge/captcha/dist/powforge-captcha.min.js"
        data-target="#pow-captcha"
        data-server="https://captcha.powforge.dev"
        data-theme="dark">
</script>

The widget renders a small progress bar while the browser mines. When it finishes, a checkmark appears and the hidden pf_token input is auto-filled with a signed token.

Step 3: Verify Server-Side

On your backend, validate the token before processing the form submission. Here's Express:

const express = require('express');
const { verifyToken } = require('@powforge/captcha/verify');

const app = express();
app.use(express.urlencoded({ extended: true }));

app.post('/submit', async (req, res) => {
  const result = await verifyToken(req.body.pf_token, {
    server: 'https://captcha.powforge.dev',
  });

  if (!result.valid) {
    return res.status(403).json({ error: 'CAPTCHA verification failed' });
  }

  // Token is valid. Process the form.
  console.log('Message from:', req.body.email);
  res.json({ success: true });
});

app.listen(3000);

The verifyToken function makes a single POST to your verification server and returns { valid: true/false }. That's it. Two network requests total: one to fetch the challenge, one to verify the solution.

Step 4 (Optional): Use the ES Module API

If you're building a SPA or want more control, there's a module API:

import { PowCaptcha } from '@powforge/captcha';

const captcha = new PowCaptcha({
  target: '#pow-captcha',
  server: 'https://captcha.powforge.dev',
  difficulty: 16,
  theme: 'dark',
});

captcha.on('verified', ({ token }) => {
  document.querySelector('form').submit();
});

captcha.on('progress', ({ percent }) => {
  console.log(`${percent.toFixed(0)}% done`);
});

Benchmarks

I ran this on a handful of devices to get real numbers:

Metric	Value
Time to solve (desktop, M1 Mac)	~2.5s
Time to solve (desktop, mid-range PC)	~4s
Time to solve (iPhone 13)	~6s
Time to solve (budget Android)	~10s
Bundle size	~5KB gzipped
Network requests	2 (challenge + verify)
External dependencies	0
User data collected	0
Cookies set	0
Cost	$0 (self-hosted)

Default difficulty is 16 bits (~65k hashes). You can tune this. Drop it to 10 bits for comment forms where friction matters more than security. Crank it to 20 bits for account registration where you really want to slow down bots.

The Comparison Table

Here's how it stacks up against the options you're probably evaluating:

	PowForge	reCAPTCHA v3	hCaptcha	Turnstile	ALTCHA
Price	Free (self-host)	Free tier, then $8/1k	Free tier, then paid	Free tier	Free (self-host)
Privacy	No tracking	Google behavioral tracking	Browser fingerprinting	Cloudflare tracking	No tracking
Self-hosted	Yes	No	No	No	Yes
Dependencies	None	Google JS (~150KB)	hCaptcha JS (~120KB)	Cloudflare JS (~80KB)	None (~30KB)
Setup time	~5 min	~10 min	~10 min	~5 min	~5 min
Open source	MIT	No	No	No	MIT
Cookies	None	Yes	Yes	Yes	None
Works offline	Yes (once loaded)	No	No	No	Yes (once loaded)

The closest comparison is ALTCHA. Both are open source, both use proof-of-work, both can be self-hosted. PowForge is smaller (~5KB vs ~30KB), and adds a Lightning payment option where verified users can skip the wait entirely. ALTCHA has been around longer and has a bigger community. Pick whichever fits your stack.

What PoW Doesn't Solve (Honest Trade-offs)

I'd rather you know the limitations upfront than find out after deploying this to production.

Targeted attacks. If someone specifically wants to spam your form, they can throw GPU power at it and solve challenges fast. Proof-of-work raises the cost, but it doesn't make it impossible. Then again, reCAPTCHA v3 gets bypassed by dedicated attackers too. No CAPTCHA is a silver bullet.

Mobile performance. Budget phones take 2-3x longer than desktops to solve a challenge. A 4-second wait on a laptop becomes 10 seconds on a three-year-old Android. For mobile-heavy audiences, drop the difficulty to 10-14 bits or you'll hurt your conversion rate.

Battle-tested scale. Cloudflare Turnstile handles billions of requests. This doesn't have that track record yet. If you're running a site with millions of daily submissions, I'd be honest and say this hasn't been proven at that scale.

Accessibility. Users with very old devices or limited hardware will wait longer. There's no audio CAPTCHA equivalent. For sites with strict accessibility requirements, consider offering the Lightning skip as an alternative path.

GPU farming. An attacker with a GPU can solve SHA-256 challenges orders of magnitude faster than a browser can. The roadmap includes Argon2-based challenges (memory-hard, GPU-resistant) to address this. Not there yet.

When This Makes Sense

This fits best when:

You're protecting contact forms, comment sections, or registration pages
You value user privacy and don't want Google tracking on your site
You're self-hosting and want full control over the infrastructure
Your traffic is low-to-medium (under 100k submissions per day)
You're building something in the Bitcoin/Lightning ecosystem and want the Lightning skip feature

It probably doesn't fit when:

You need enterprise-grade bot detection with ML behavioral analysis
You're processing millions of submissions daily and need proven scale
Your audience is primarily on budget mobile devices
You have strict accessibility compliance requirements (WCAG AAA)

Self-Hosting the Verification Server

You don't have to use the hosted endpoint. The verification server is a single Node.js file with zero npm dependencies for core functionality:

git clone https://gitlab.com/powforge/captcha.git
cd captcha
node server.js
# Listening on port 3077

Point the widget at your own server:

<script src="powforge-captcha.min.js"
        data-target="#captcha"
        data-server="https://your-domain.com:3077">
</script>

Three endpoints. That's the whole API:

Endpoint	Method	What it does
`/api/challenge`	GET	Returns a new PoW challenge
`/api/verify`	POST	Accepts a solution, returns a signed token
`/api/token/verify`	POST	Server-side token validation

Try It

There's a live demo at powforge.dev/captcha where you can solve a challenge and see how it feels. The source is on GitLab. The npm package (@powforge/captcha) is coming soon.

If you build something with it, I'd genuinely like to hear about it. Open an issue on the repo or find me on Nostr.

Built by an indie dev who got tired of paying Google to protect a contact form.

DEV Community: Zeke