Every team that runs a content site eventually faces the same small decision with outsized consequences: how do you let readers leave a comment? The default answer for the last decade has been to paste a third party script into the page and move on. Disqus, and the dozens of widgets like it, made comments a two minute job. They also turned every comment box into a data collection point, an advertising surface, and an external dependency sitting in the critical path of your page load.
Payload Comments is a direct response to that trade off. It is an open source, self hosted comments and reactions plugin for Payload CMS 3, and it comes from a project that has spent a lot of time thinking about what sysadmins and developers actually want from their own infrastructure: navanem.
The lab behind the plugin
navanem.com describes itself as swiss made for sysadmins, and the description is accurate. It is a solo built security and IT lab run by Emanuel De Almeida, an IT engineer based in Geneva. The site publishes security news, curated CVE advisories, deep dive tutorials, troubleshooting fixes, plain English explainers, PowerShell scripts, browser based tools, and a handful of open source projects.
The through line across all of it is a refusal to publish anything that has not been tested in a real environment. That philosophy shapes the tools navanem ships. They are small, focused, and built to solve a problem the author actually hit, rather than to chase a feature checklist. Payload Comments is the clearest example so far.
Why hosted comments stopped making sense
Hosted comment widgets solve the wrong half of the problem. They make installation easy, but they do it by taking your readers data off your platform and onto theirs. For anyone operating under GDPR or the Swiss nLPD, that is a real liability, not a footnote. There are three recurring costs:
- Privacy. A third party script can see who reads what, and it ties that behaviour to a profile you do not control.
- Performance. The widget loads on every article, often pulling in hundreds of kilobytes of scripts and trackers.
- Ownership. Your discussion history lives in someone else database, exportable only on their terms, and gone the day they change their pricing.
For a Payload site, none of that is necessary. You already run a database and an admin panel. The comments may as well live there too.
What Payload Comments actually does
The plugin adds anonymous comments and reactions to any Payload collection you choose, with no visitor accounts and no external service. Readers comment with a mood emoji, react to other comments, and reply in threads up to three levels deep. Everything is stored as a native Payload collection, which means you can query it, back it up, and moderate it with the tools you already use.
Version 0.3.0 added Markdown comment bodies, restricted to a safe subset such as bold, italic, strikethrough, inline code, links, lists and blockquotes, so commenters get formatting without opening an XSS hole. The same release moved the moderation toggle into the admin Settings, so you can switch pre publish approval on or off at runtime without a redeploy.
On the moderation side you get a standard collection with status tracking across pending, approved, spam and trash, plus bulk actions. A dedicated statistics view at /admin/comments-statistics breaks down volume by status, by collection and by mood, and reports reaction counts and daily rates. It is the kind of operational visibility you normally have to bolt on yourself.
Built to be defended, not just installed
Anonymous commenting invites abuse, so the anti spam work is not an afterthought. Payload Comments ships with a honeypot field, per IP rate limiting, salted IP hashing rather than raw IP storage, and configurable rules for length and links. Raw HTML is never rendered, and a mandatory approval mode is available when you want every comment reviewed before it appears.
Getting started is one command:
pnpm add @navanem/payload-comments
From there you enable the collections you want, set requireApproval and requireEmail to taste, and provide a COMMENTS_IP_SALT. You can drop in the ready made React component or build your own front end against the REST API at /api/comments-api/*. The plugin is TypeScript first and MIT licensed, so the whole thing is yours to read, extend and audit.
The bigger point
Payload Comments is a small plugin, but it represents a position. Engagement features do not have to come at the cost of your readers privacy or your control over your own stack. If you are already running Payload, you can have threaded, moderated, analytics backed comments that never make a single external request, for the price of one dependency and a few minutes of configuration.
That is the navanem approach in miniature: take a problem every sysadmin recognises, solve it properly, and give the result away. You can read the full breakdown on the project page, or go straight to the source on GitHub.
