I'm the technical founder of FriendlyCaptcha [1], a privacy friendly proof of work alternative to reCaptcha that doesn't suck for end users (and also doesn't need any tracking or cookies so legal/compliance teams like it too). While not a one-man company anymore, I've been the only engineer of it for a long time that I think it qualifies :)
* We use cloudflare workers for our API endpoints which have given us amazing reliability and scalability (which is of course very important for our service)
* We use cloudflare KV and cloudflare cache for some caching and logged in user sessions.
* The web app is good old server side rendered html and css with a tiny bit of JS here and there.
* The widget is open source, written in Typescript (and as it has to run in really old browsers there's Babel to transpile. The solver inside of it and the proof of work library is AssemblyScript (i.e. WASM), with a JS fallback.
* PHP for our wordpress plugin.
The way we operate is that we provide free (or very low cost) plans for hobby users and stuff like small (wordpress) blogs to hopefully make a dent into recaptcha's market share, it's a bit of a social mission. Larger companies pay for more advanced protection features, EU-only endpoints, (as well as custom agreements and other paperwork). That balance has worked well for us, and even the small customers that use the free service contribute to our protection.
The past half year or so we learned that our customers that bring in the lion share of the revenue really prefer it if we keep their processing and data in Europe (our privacy friendliness and our EU-basedbess are big selling points, even more than improved ux+accessibility). So much so that we are heavily investing into that, and we are slowly moving in favor of our own infra in Hetzner (Germany).
There our tech stack is fully Golang (Fiber framework), with Redis, Postgres and Clickhouse as data stores. The way that our system works is that we look at patterns of access, and we can tweak the difficulty of the proof of work challenge on a request by request basis. One nice property is that it's not all or nothing: if we suspect a puzzle request is from a spammer they will get a rather difficult puzzle which will take a while to solve, but at least it won't lock out any false positives. Clickhouse is fantastic for this purpose (putting in millions of events is not even close to its capacity, it's lightning fast). Of course the widget itself also has the most basic of anti headless browser checks, but that will only deter the most naive spammers.
Of course no captcha system is perfect and will protect against a spammer who is willing to spend real resources (e.g. pay compute, or human labelers) to spam, but so far we're happy with its effectiveness, and it warms our hearts when we receive messages from blind or even deaf-blind users that encountered our captcha and web out of their way to say thank you :). I hope that at some point captcha labeling tasks can be a thing of the past.
* We use cloudflare workers for our API endpoints which have given us amazing reliability and scalability (which is of course very important for our service)
* We use cloudflare KV and cloudflare cache for some caching and logged in user sessions.
* Mailgun, FaunaDB, Sentry, LogDNA, Stripe, BigQuery.
* The web app is good old server side rendered html and css with a tiny bit of JS here and there.
* The widget is open source, written in Typescript (and as it has to run in really old browsers there's Babel to transpile. The solver inside of it and the proof of work library is AssemblyScript (i.e. WASM), with a JS fallback.
* PHP for our wordpress plugin.
The way we operate is that we provide free (or very low cost) plans for hobby users and stuff like small (wordpress) blogs to hopefully make a dent into recaptcha's market share, it's a bit of a social mission. Larger companies pay for more advanced protection features, EU-only endpoints, (as well as custom agreements and other paperwork). That balance has worked well for us, and even the small customers that use the free service contribute to our protection.
The past half year or so we learned that our customers that bring in the lion share of the revenue really prefer it if we keep their processing and data in Europe (our privacy friendliness and our EU-basedbess are big selling points, even more than improved ux+accessibility). So much so that we are heavily investing into that, and we are slowly moving in favor of our own infra in Hetzner (Germany).
There our tech stack is fully Golang (Fiber framework), with Redis, Postgres and Clickhouse as data stores. The way that our system works is that we look at patterns of access, and we can tweak the difficulty of the proof of work challenge on a request by request basis. One nice property is that it's not all or nothing: if we suspect a puzzle request is from a spammer they will get a rather difficult puzzle which will take a while to solve, but at least it won't lock out any false positives. Clickhouse is fantastic for this purpose (putting in millions of events is not even close to its capacity, it's lightning fast). Of course the widget itself also has the most basic of anti headless browser checks, but that will only deter the most naive spammers.
Of course no captcha system is perfect and will protect against a spammer who is willing to spend real resources (e.g. pay compute, or human labelers) to spam, but so far we're happy with its effectiveness, and it warms our hearts when we receive messages from blind or even deaf-blind users that encountered our captcha and web out of their way to say thank you :). I hope that at some point captcha labeling tasks can be a thing of the past.
[1]: https://friendlycaptcha.com