Commenting Systems

Nov. 10, 2021

As someone who strongly values privacy and open source, I obviously don’t want to include any proprietary commenting services on my site – Disqus or the like. Preferably, I’d want to self-host the entire thing myself, with no external requests being made at all – which includes stuff like Gravatar, Akismet, jsDelivr, etc.

However, this is a tougher task than I first expected it to be. Most solutions are either overly complex to set up, or they’ve got hard requirements to external services, or they’ve not been updated for the past year or so.

Oh, and I’ll gladly take recommendations for other solutions that meet my criteria of: open source, lightweight, and a decently active development status.


As of the time of writing this post, this very site uses Isso for its commenting functionality, and while it works well enough, it’s got a number of quirks and moderate annoyances.

For one, Isso’s “admin” interface isn’t exactly grand. Now, I’m all for minimalism and unbloated stuff, but it’s a bit too minimalistic I feel like. The lack of any sort of “user/moderator” system is one area it lacks in. Admittedly, I don’t need the ability to delegate moderators myself, but I’d expect this would be an issue for any site that’s even moderately large. A slightly bigger con is the backend’s lack of support for any sort of spam detection, this causes one to have to either let spambots run rampant, or manually approve each comment. Of course, it’s technically possible to implement a crude “spam check” of sorts in, for example, a reverse proxy configuration (i.e nginx), but that’s more work than I’d like to spend on it. Not least seeing as I get, at the very most, one (actual/non-spam) comment three months on average.


Written in Go, Remark42 looks to be a solid commenting system. Although it does have a strong focus on “social logins,” with its anonymous commenting functionality seemingly slapped on top as afterthought.

Remark42 supports multi-site configuration, which is a really nice feature. However, there’s the issue that it’s using iframes (no, not the Dark Souls kind) to inject the comments. Which means that if one is using the older X-Frame-Options header instead of CSP, with SAMEORIGIN as the setting, then this will cause issues if running the commenting instance on a separate subdomain.

I suppose I should still give it a fair try anyway, even though I’d need to reconfigure a fair share of stuff, once I’ve got more time on my hands. Though I’d still strongly prefer something along the way Isso does it.


Though not without a fair share of issues, Waline is another interesting comment system – one that I wouldn’t have had any problems trying out in full if it was a bit more polished.

While clean-looking, and seemingly decently lean on resources once you’ve got it running, there’s a number of fairly big issues with it. From running it on a non-standard port, to environment variable loading, and a number of poorly and sometimes undocumented variables and functions, Waline’s got more than a few irksome issues with the initial deployment.

As the project is a Node application, it bring with it all the worst bits of JS programming I loathe – including the dependency hell that its infamous for. Furthermore, I couldn’t even get it to build locally without a number of minor modifications – not exactly the best first impression to get. Sure, the documentation makes a grand show of how easy it is to install the “server” and load the “client,” by simply using jsDelivr, but that’s not how I would want to use it. Other issues include the difficulty of getting it to be fully self-hosted – i.e not making any external requests, server or client side.

It also describes itself as being “very secure,” but that’s certainly not the case for a default installation. There’s no default check on domain origin, and there doesn’t look to be an option to disable image uploading. The former is supposed to be configurable via the SECURE_DOMAINS environment variable – at least that’s what the documentation say – but I’ve not got it to actually work myself; the latter doesn’t have to be a security issue by itself, but any sort of user-uploaded content beyond text is both not something I’m interested in, and prone to be exploitable.


By the looks of it, Commento seems to have been abandoned, or is limping along on life-support. Multiple links on its commercial(!) homepage is broken, and the source repository itself hasn’t had any new commits for over eight months.

Given the lack of activity, I can’t justify putting time into even trying it out, nor subsequently comment on its functionality. However, even if I did have the time to try it, the hard PostgreSQL requirement would be a deal-breaker anyway. Running yet another SQL server just for a commenting system is just not an option, nor would I want to waste the time to maintain yet another database in either case.