HeCAPTe: a stateless, privacy-first CAPTCHA service you can embed almost anywhere.
-
@themeerkat yes, I got it going more . I used your example and changed the URLs - https://paste.cloudron.io/saruhogawi.xml . I had to upload the static things (solver, worker, wasm) into surfer . Then, some CORS into nginx (would be great if the hecapte server can have this configurable) and my test site loads. Something is up with /verify , checking what...
@girish said in HeCAPTe: a stateless, privacy-first CAPTCHA service you can embed almost anywhere.:
Then, some CORS into nginx (would be great if the hecapte server can have this configurable)
Definitely. There's next-to-no "easy" config right now; I have an informal checklist for changes I'd want to make before it goes from alpha to beta, and I'll make a note for CORS specifically.
@girish said in HeCAPTe: a stateless, privacy-first CAPTCHA service you can embed almost anywhere.:
w00h00 . @themeerkat works
I was sending the /verify incorrectly to surfer instead of hecapte.Awesome!
Thanks so much for trying it out! I genuinely appreciate your feedback and testing. 
-
HeCAPTe
Humane, embeddable Cost-Asymmetric Proof-of-work Turing exam
Hello! I was looking for a particular kind of self-hosted service I could use as my first Cloudron contribution: a privacy-first price-them-out CAPTCHA.
I hate the usability/accessibility nightmare that are traditional CAPTCHAs, especially now that essentially every method can be outsmarted by a cheap local LLM model. There were some promising PoW-based alternatives (Capjs, ALTCHA, mCaptcha, etc.), which I conceptually loved, but all of them either used a simple SHA-256-based puzzle (which is elementary to spammers who already have a bot farm) or had some other disqualifying feature for my preferences.
Necessity is the mother of invention, and so on, so I made my own!
https://codeberg.org/TheMeerkat/HeCAPTeIt uses an Equihash-based puzzle (if you're unfamiliar, think of it as Argon2 but extremely cheap to verify) and no visible widget users need to interact with. It's completely invisible as anything other than a small processing delay, and its cookieless and stateless nature means you don't need to disclose it to comply with privacy law.
I'll let the project's README speak for itself:
HeCAPTe provides a stateless spam-prevention mechanism that respects user privacy. Unlike traditional CAPTCHAs that rely on tracking user behavior or forcing users to complete busywork, HeCAPTe requires the user’s system to solve a computational puzzle (Equihash). This “Proof-of-Work” approach makes it computationally expensive for bots to generate mass requests while remaining quick for legitimate human users on modern devices.
- Humane: Requires no additional human interaction and presents no impediment to accessibility. Doesn’t try to extract value from the user by having them train image recognition models. Doesn’t infuriate vision-impaired users with audio from the first prototype of the telephone.
- Embeddable: Requires nothing more than one small Go binary, a few static files (including the .wasm solver), and an SQLite database. Even the cheapest VPS can run it without a hitch.
- Cost-Asymmetric: Expensive to solve, cheap to verify.
- Proof-of-work: HeCAPTe uses Equihash, a memory-hard proof-of-work algorithm. Unlike simple SHA256-based puzzles, Equihash's memory requirements make it significantly more costly to solve at scale; you can’t just throw more GPUs at the problem and call it a day, but my phone solves the puzzles about as quickly as my gaming laptop.
- Turing exam: Not quite a Turing test. Any one user submission is not, as per the original CAPTCHA vision, “proof” of humanity—but in a world with advanced OCR, services that have underpaid laborers type in answers for fractions of a penny, and even tiny local AI models that can easily solve most natural language puzzles, that vision is likely dead anyway.
Don’t try to barricade the way for bots and stop humans along the way; just make it more expensive to spam you than they could possibly get back as profit.
And then, since a Cloudron app was what I was trying to secure in the first place, packaging it for here just made the most sense.
Now, extremely important warning:
This should be considered ALPHA STATE SOFTWARE.
I am not a professional programmer. I'm not even good at it. This is cobbled together with spit and broken dreams. I have verified that it works, doesn't cause any crazy disasters, that the Equihash logic is correct (for this simplified use case), that it has no neon-sign security holes, etc., but it's definitely missing basic comfort features I didn't personally care enough about to put in v1.0 and it hasn't exactly been through a battering ram of tests. Use this at your own risk!
Demo
The default demo page is up and running at https://hecate.eris.host/. Use the site ID
ab2946a4e8af5dbaef82419450267ebdto test its default parameters. Now imagine it was a contact form, and "I am not a robot" was just labelled "Submit". I'd like to think that's a fair bit better of an experience than most security checks.Install
Again: please see the bolded text about alpha state software.
To install as a Community App, enter this when requested:
https://codeberg.org/TheMeerkat/HeCAPTe/raw/branch/main/CloudronVersions.jsonContribute!
Please give me feedback on how useful you'd find this and any obvious issues you see with it! This thread is the only place I'm really advertising this to start with. If any actual-developers-for-real want to offer code contributions to the Codeberg repositories, I'd basically cry from pure elation. It's FOSS software!
Also, monetary support is never expected but always dearly appreciated.
@TheMeerkat awesome!
Congratulations and thank you for the great work
Looking forward to trying it out -
new! Updated to 1.0.1.
codeberg.org/themeerkat/hecapte-cloudron:1.0.1I added customization options: renaming sites, deleting sites, and specifying CORS(!) on registration. This should make it a lot easier to use.
-
new! Updated to 1.0.2, after a hefty delay. Sorry about that.I significantly improved the security of the project, most importantly. Not far behind, refactoring the entire /admin panel to be... well, an actual admin panel. It's been redone almost from the ground up for maintainability going forward. Finally, it's more resilient to OOM bugs in unlucky situations.codeberg.org/themeerkat/hecapte-cloudron:1.0.2Nope. Tested all of the local code to within an inch of its life; tested the Docker image locally; then watched as it completely shattered into splinters as I tried to update the demo site running on Cloudron.
Good lesson to learn before I embarrass myself publicly, next time?Please keep using 1.0.1 for right now (if anyone's using it at all). I need to sleep right now, but I'll take another look in the morning.
-
Hello @themeerkat
With Cloudron 9.1 we have added community app support.
Please check the latest documentation for package publishing https://docs.cloudron.io/packaging/publishing
Could you update your repo to include these changes? -
Hello @themeerkat
With Cloudron 9.1 we have added community app support.
Please check the latest documentation for package publishing https://docs.cloudron.io/packaging/publishing
Could you update your repo to include these changes?Hello @themeerkat
With Cloudron 9.1 we have added community app support.
Please check the latest documentation for package publishing https://docs.cloudron.io/packaging/publishing
Could you update your repo to include these changes?Done. Also, the issue with the previous version is now resolved!
To install it as a community app, use this link:
https://codeberg.org/TheMeerkat/HeCAPTe-Cloudron/raw/branch/main/CloudronVersions.json -
Hello @themeerkat
I have added your package to the list: https://forum.cloudron.io/topic/15172/community-apps -
Massive 2.0 update. Following SemVar, that means a breaking change, and... yeah, it's breaking all right!
I've consolidated the two repositories and made several improvements that did, unfortunately, invalidate existing installs; I figured it was best to do this now, while everything is still early. It does mean that updates of the old app are no longer possible, however. You will need to reinstall from scratch as a new community app with
https://codeberg.org/TheMeerkat/HeCAPTe/raw/branch/main/CloudronVersions.jsonas the source file.Sorry about this. It allowed for me to implement the requested aliasing, plus made it much easier for me to localize it (per a Codeberg issue) in the future. I won't have to do that again.
@james Could you update the link to the versions file in the masterlist, please?
-
Hello @themeerkat
I have updated both URLs and made you an editor for the detailed post https://forum.cloudron.io/post/121505
Now you can edit this one freely.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login