ziscus

Zero-JavaScript anonymous comments for static sites.

ziscus is an embeddable comment system that requires no client-side JavaScript and no user accounts. Visitors leave comments through plain HTML forms. Comments are stored in Cloudflare D1 (SQLite at the edge) and baked into your static pages at build time. Moderation and anti-spam are built in.

Source on GitHub

ziscus vs giscus

	giscus	ziscus
Client JS	Required (iframe + script)	None. Pure HTML forms
Auth	GitHub account required	Anonymous
Storage	GitHub Discussions	Cloudflare D1 (SQLite)
Moderation	GitHub built-in	Approve / reject / spam / ban
Anti-spam	GitHub rate limits	Honeypot + rate limit + URL filter + IP ban
Self-hosted	Optional	Required (your Cloudflare account)

How it works

  Visitor submits HTML form
          |
          v
  POST /submit ──────────────> Cloudflare Worker
                                     |
                    ┌────────────────┼────────────────┐
                    v                v                v
               Honeypot         Rate limit        Ban check
               (silent reject)  (5/hr per IP)     (IP hash)
                                     |
                                     v
                              Escape HTML input
                                     |
                                     v
                              Store in D1 (SQLite)
                              status: pending | approved
                                     |
                              ┌──────┴──────┐
                              v             v
                         Auto-approve   Queue for
                         (if configured) moderation
                                     |
                                     v
                              Trigger site rebuild
                              (GitHub Actions, debounced)

Anti-spam

Built in, zero configuration required:

Honeypot field — hidden input that bots fill out; silently rejected with fake success
Rate limiting — 5 comments per IP per hour (configurable)
URL filtering — rejects comments with more than 3 URLs
IP banning — manual ban list with reasons
CSRF protection — Origin/Referer validation
HTML escaping — all input escaped server-side to prevent stored XSS

Quick start

1. Deploy the Worker

cd worker
pnpm install
wrangler d1 create ziscus-comments
# update wrangler.toml with your database_id
wrangler d1 execute ziscus-comments --file=src/schema.sql
wrangler secret put ADMIN_SECRET
wrangler deploy

2. Add the form to your site

<form method="POST" action="https://your-worker.workers.dev/submit">
  <input type="hidden" name="slug" value="my-page">
  <div style="display:none">
    <input type="text" name="website" tabindex="-1">
  </div>
  <input type="text" name="author" required>
  <textarea name="body" rows="4" required></textarea>
  <button type="submit">Post Comment</button>
</form>

3. Moderate via API

# List pending
curl -H "Authorization: Bearer $SECRET" \
  https://your-worker.workers.dev/admin/comments?status=pending

# Approve
curl -X POST -H "Authorization: Bearer $SECRET" \
  https://your-worker.workers.dev/approve/COMMENT_ID

# Ban an IP
curl -X POST -H "Authorization: Bearer $SECRET" \
  -H "Content-Type: application/json" \
  -d '{"ip_hash":"...","reason":"spam"}' \
  https://your-worker.workers.dev/admin/ban

Try it

This form is a live demo — it posts to a real ziscus worker. Leave a comment.

Comments

No comments yet — be the first.