sr_freecap for TYPO3

Why European authorities and hospitals rely on self-hosted CAPTCHA protection

Google reCAPTCHA is technically effective but legally problematic for many operators in Europe: every embedding results in personal data being transferred to Google in the United States, requires an active consent under GDPR and the ePrivacy framework and is viewed critically by several regional data protection authorities. sr_freecap is the answer to this problem: a fully self-hosted CAPTCHA extension for TYPO3 that triggers no external requests, transfers no user data to third parties and therefore works without running into the consent banner trap. The target audience are public authorities, hospitals, universities and privacy-conscious companies that need to protect forms against bot spam without taking on a new dependency on a US service.

Typical use cases

A university hospital runs a contact form for patient enquiries, an application form for nursing staff and a press enquiry form. All three are regularly attacked by bots that submit generic advertising messages or phishing attempts. Hospital IT has decided not to embed any Google services because the data protection officer wants to avoid the consent obligation. sr_freecap generates image graphics with letter combinations server-side, validates the input on its own server and never sends any information to the outside.

A second case is a city administration with around 15 online forms for citizen services, from relocation notifications to applications for residential parking permits. The regional data protection officer explicitly recommended not to use external CAPTCHAs in an audit. sr_freecap integrates with the TYPO3 form API (Powermail or the form framework) and therefore protects all forms without additional consent.

The third context is chambers and professional associations that maintain member directories, addresses or public registers. Each of these organisations runs a search form or a contact form that has to be bot-protected while preserving its privacy posture. sr_freecap offers a simple visual test that is solvable for humans and presents a noticeable hurdle for simple OCR bots.

Technical architecture: GD library, session and form API

sr_freecap generates the CAPTCHA images server-side using the GD library or ImageMagick, with GD being the default option and available out of the box in almost every PHP installation. Letters are drawn randomly from a configurable alphabet, rendered into an image with background noise and distortion and delivered to the browser. The expected plaintext is stored in the TYPO3 session and compared to the user input when the form is submitted.

Integration with forms runs through a validator for the TYPO3 form framework and through the Powermail API, where the field is embedded as an additional element in the form definition. Audio CAPTCHAs as an accessibility alternative are available in the extension but disabled by default and should be enabled for forms with a broad audience, so that users with visual impairments are not excluded. sr_freecap is configured through TypoScript, which controls the length of the CAPTCHA string, the fonts in use and the noise level.

Common problems and solutions

The first problem is readability versus security. If the CAPTCHA is distorted too heavily, even human users fail and abandon the form, which noticeably drags down the conversion rate. If it is distorted too lightly, modern OCR engines read the plaintext in seconds. The practical solution is moderate distortion combined with a honeypot field, an invisible input that sits inside the form. Humans do not fill it in, bots often do, and these submissions are silently discarded.

The second problem concerns accessibility. A purely visual CAPTCHA excludes blind and visually impaired users, which at public institutions can constitute a violation of accessibility law and corresponding technical standards. Enabling the audio mode and adding a simple arithmetic task as an alternative creates accessible paths to meet the requirement without giving up protection.

The third topic is session handling. sr_freecap stores the expected answer in the PHP session, which in load-balanced setups without session affinity or stateless TYPO3 installations leads to errors. The solution is either sticky sessions on the load balancer or a shared session backend such as Redis that all nodes use together.

A fourth problem is effectiveness against modern bot frameworks. Simple headless browsers such as Puppeteer cannot solve visual CAPTCHAs themselves but can forward the task to an external solving service that returns the correct answer within seconds. A pure image recognition CAPTCHA is not enough against such attacks, and combining it with behaviour-based checks such as mouse movement analysis or the honeypot mentioned earlier is the more effective defence.

Migration and version compatibility

sr_freecap is one of the oldest CAPTCHA extensions for TYPO3 and has a turbulent version history: community forks exist for TYPO3 v11 and v12, while v13 compatibility varies from fork to fork. Anyone migrating to v12 or v13 today should check before the upgrade whether their extension branch is actively maintained and, if in doubt, move to a different CAPTCHA approach.

Alternatives to sr_freecap within the privacy-friendly spectrum include hCaptcha (a self-hosted variant is possible), Friendly Captcha from European development and honeypot fields combined with server-side rate limiting. Gosign advises on the choice depending on form volume, user group and regulatory requirement and, where needed, builds a hybrid solution that first filters bot traffic with a honeypot and only forwards suspicious submissions to the CAPTCHA step.

For institutions that cannot embed external services for regulatory reasons, a self-hosted solution such as sr_freecap often remains the only viable choice, and the maintenance overhead is manageable. What matters is keeping the CAPTCHA protection aligned with current spam patterns and evaluating the statistics of failed attempts, so that it becomes visible when an upgrade of the distortion or a combination with other protective measures becomes worthwhile.