Protect your forms from bots without puzzles, third-party scripts, or GDPR headaches. HMAC-based integrity verification — all inside your own infrastructure.
dotnet add package CWaptchaThree steps. All server-side. Users never see or interact with anything.
On page load your server generates a one-time nonce + field salt, stores them with a TTL, and returns a signed token to the browser.
On form submit, cwaptcha.js canonicalises the form fields and computes an HMAC-SHA256 in the browser using SubtleCrypto. No puzzle. No interaction.
Your server recomputes the HMAC, verifies the token signature, checks the honeypot, and marks the nonce as used. Bad requests are rejected before your handler runs.
No puzzles, no "click all the traffic lights", no accessibility complaints. Conversion rates stay intact.
No data leaves your infrastructure. No third-party cookies. No DPA with Google or Cloudflare required.
HMAC-SHA256 integrity, constant-time comparison, one-time nonces, and honeypot — same threat model as paid alternatives.
Fully self-hosted. If Google's CAPTCHA goes down your forms keep working. No third-party SLA risk.
One package, two lines of registration. Works with Razor Pages, MVC, Umbraco Surface Controllers, and Minimal APIs.
Built-in distributed nonce store via IDistributedCache. Works with Redis, SQL Server, or any provider.
Three steps from zero to protected forms.
dotnet add package CWaptchabuilder.Services.AddCWaptcha(builder.Configuration.GetSection("CWaptcha"));
// ...
app.UseCWaptcha();<form method="post" data-cwaptcha>
<input name="Name" required />
<button type="submit">Send</button>
</form>
<script src="/cwaptcha/cwaptcha.js" data-honeypot="cw_hp_email"></script>CWaptcha targets the platforms where invisible, self-hosted CAPTCHA matters most.
Answer four questions and get a tailored integration guide for your exact stack.
Start integration wizard →