How to Tell If a Website Uses Cloudflare Turnstile
Cloudflare Turnstile is a privacy-first, frictionless CAPTCHA alternative. Detect it via the challenges.cloudflare.com/turnstile/v0/api.js script, the cf-turnstile div and the turnstile global.
Cloudflare Turnstile is Cloudflare's privacy-first, frictionless CAPTCHA alternative — it verifies that visitors are human, often without making them solve a puzzle. Because it loads from a distinctive Cloudflare host and renders a marked widget, detecting it is straightforward: look for the challenges.cloudflare.com/turnstile/v0/api.js script and a cf-turnstile element with a data-sitekey. This guide covers every reliable signal, the architecture behind them, the other CAPTCHA services to distinguish it from, the important caveat that Turnstile does not imply Cloudflare's CDN, and what Turnstile usage tells you about the site's approach to security and conversion.
What is Cloudflare Turnstile?
Turnstile, launched by Cloudflare in 2022, is a CAPTCHA-alternative designed to protect forms and endpoints from bots while minimising friction for real users. Instead of image puzzles, it runs a series of lightweight, privacy-preserving browser challenges and behavioural signals to decide whether a visitor is human, frequently passing them through with no interaction at all. It is positioned as a privacy-first option (no tracking-for-ads, GDPR-friendly) and a free, modern replacement for reCAPTCHA and hCaptcha. Crucially, it is a standalone product: any website can embed Turnstile regardless of whether it uses Cloudflare's CDN.
For detection, the key context is that Turnstile is a security control that protects forms and actions from automation, chosen for its low friction and privacy stance. Finding it tells you the site defends against bot abuse — spam, fake sign-ups, credential stuffing — with a modern challenge. Importantly, its presence does not by itself prove the site runs on Cloudflare's CDN (you check that with response headers separately). Because Turnstile loads from a clear Cloudflare host and renders a marked widget, it is easy to confirm on a protected form.
How Turnstile loads and renders
A Turnstile install loads the API script from https://challenges.cloudflare.com/turnstile/v0/api.js and renders into elements that carry the class cf-turnstile with a data-sitekey attribute (the public key for the site's Turnstile widget). The script finds these elements and injects the challenge, which runs inside an iframe served from challenges.cloudflare.com. At runtime it exposes the global window.turnstile object, with methods like turnstile.render, turnstile.execute, turnstile.getResponse and turnstile.reset.
Turnstile supports managed, non-interactive and invisible modes, but in all cases the api.js script, the data-sitekey (or a programmatic render call), and the challenges.cloudflare.com iframe are present. The widget typically shows a brief "Verifying…" state and a Cloudflare-branded indicator, often clearing without a puzzle. The data-sitekey is public and identifies the widget configuration. Knowing this — the challenges.cloudflare.com/turnstile/v0/api.js script, the cf-turnstile element with data-sitekey, the turnstile global, and the challenges.cloudflare.com iframe — makes detection quick and certain.
How to tell if a website uses Cloudflare Turnstile
Confirm at least one strong signal.
1. Check the Network tab. Filter for turnstile or challenges.cloudflare.com. The turnstile/v0/api.js script and the widget iframe from challenges.cloudflare.com confirm Turnstile.
2. Inspect the widget. Find the CAPTCHA on a form and inspect it. An element with class cf-turnstile and a data-sitekey attribute, plus a challenges.cloudflare.com iframe, is the definitive signal.
3. Use the console. Type turnstile and press Enter. A returned object with render/getResponse methods confirms the API is loaded.
4. View the source. Search for turnstile or cf-turnstile. The api.js script reference and the widget markup are usually visible.
5. Read the data-sitekey. The data-sitekey identifies the Turnstile widget configuration.
What the Turnstile signals look like
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
<div class="cf-turnstile" data-sitekey="0x4AAAAAAA…"></div>
window.turnstile = { render: ƒ, execute: ƒ, getResponse: ƒ, reset: ƒ, … }
<iframe src="https://challenges.cloudflare.com/cdn-cgi/challenge-platform/…"></iframe>
The combination of the challenges.cloudflare.com/turnstile/v0/api.js script, the cf-turnstile element with data-sitekey, and the challenges.cloudflare.com iframe is conclusive.
Turnstile versus other CAPTCHAs — avoiding false positives
Match the host and class to keep CAPTCHA services distinct. Turnstile uses challenges.cloudflare.com/turnstile and the cf-turnstile class with a turnstile global; Google reCAPTCHA uses google.com/recaptcha and the g-recaptcha class with a grecaptcha global; hCaptcha uses js.hcaptcha.com and the h-captcha class with an hcaptcha global. The cf-turnstile class and the challenges.cloudflare.com/turnstile host are unique to Turnstile. The important nuance is not to conflate Turnstile (a standalone CAPTCHA product) with Cloudflare's CDN/WAF: a site can use Turnstile without routing traffic through Cloudflare, and a site on Cloudflare's CDN may use a different CAPTCHA — confirm CDN usage separately via cf-ray/Server: cloudflare headers.
How reliable is each Turnstile signal?
The challenges.cloudflare.com/turnstile/v0/api.js script and the cf-turnstile element with data-sitekey are definitive, as is the challenges.cloudflare.com challenge iframe. The window.turnstile global is equally strong. The data-sitekey reliably identifies the configuration. The weakest situation is invisible/programmatic Turnstile that renders only on a specific action, so you may need to trigger the form — but the api.js script is present regardless. As a rule, the api.js host or the cf-turnstile element settles it.
What Turnstile usage reveals about a site
Finding Turnstile signals a security-conscious site that chose a modern, low-friction, privacy-respecting challenge to protect forms and actions from bots. Its adoption is growing as a free reCAPTCHA alternative, so its presence often indicates a team that recently revisited its bot protection and values both security and user experience (Turnstile's frictionlessness reduces drop-off versus puzzle CAPTCHAs). It frequently — but not always — accompanies a broader Cloudflare deployment. If you sell security, bot-management, or fraud-prevention tooling, a Turnstile site marks a security-aware team. The forms it protects (sign-up, login, contact) hint at the abuse the site is defending against, and its presence tells you the team weighs conversion friction alongside security.
What finding Turnstile means for sales, agencies and competitive research
For sales and prospecting, Turnstile marks a modern, security-and-UX-conscious team — a fit for security, bot-management and fraud tooling, and a possible indicator of Cloudflare ecosystem usage to explore further.
For agencies and consultants, finding Turnstile tells you the client values frictionless security, so engagements can address holistic bot protection, conversion-friendly security, and (if applicable) the wider Cloudflare stack.
For competitive and market research, Turnstile adoption indicates a competitor's modern, privacy-first approach to bot protection. Spotting it suggests they prioritise both security and conversion, useful when benchmarking form UX and security posture.
Turnstile in the wider security stack
Turnstile sits in the bot-and-abuse-prevention layer. It pairs with server-side validation and rate limiting on forms, and frequently — but not necessarily — with Cloudflare's broader CDN, WAF and bot-management products. Because it is privacy-first, sites using it often also run privacy-respecting analytics and consent tooling. For an auditor, the valuable details are which forms Turnstile protects, the data-sitekey, whether the site also shows Cloudflare CDN/WAF signals (cf-ray headers), and the surrounding security and privacy tools; together these reveal the site's bot-protection strategy and whether Turnstile is part of a wider Cloudflare deployment or a standalone choice. The trend is worth watching, too: as Turnstile is free and frictionless, many teams are migrating to it from reCAPTCHA, so its presence increasingly marks a site that has recently and deliberately reconsidered how it balances bot protection against the conversion cost of a traditional CAPTCHA.
A quick Turnstile confirmation walkthrough
Open the site and navigate to a form with a verification widget. Open developer tools on the Network panel and filter for turnstile or challenges.cloudflare.com — the turnstile/v0/api.js script and the challenge iframe confirm it. Inspect the widget for a cf-turnstile element with a data-sitekey. In the console, type turnstile to confirm the global. Separately, check the main document's response headers for cf-ray/Server: cloudflare to see whether the site is also on Cloudflare's CDN. The api.js host or the cf-turnstile element confirms Turnstile.
A quick Turnstile detection checklist
- Filter the Network tab for
turnstile; thechallenges.cloudflare.com/turnstile/v0/api.jsscript is conclusive. - Inspect the widget for a
cf-turnstileelement with adata-sitekey. - Confirm the challenge iframe from
challenges.cloudflare.com. - Type
turnstilein the console to confirm the global. - Don't assume Cloudflare CDN — verify separately via
cf-ray/Server: cloudflareheaders. - Distinguish Turnstile (
cf-turnstile) from reCAPTCHA (g-recaptcha) and hCaptcha (h-captcha).
Detecting Cloudflare Turnstile at scale
Checking one site is quick, but mapping CAPTCHA adoption across many domains — to track the shift to modern, frictionless challenges — calls for automation. StackOptic detects Cloudflare Turnstile and thousands of other technologies from a real browser, reading scripts, DOM markers and iframes. Turnstile's adoption curve is itself interesting to track: as a free, privacy-first, low-friction reCAPTCHA replacement, its spread across a market signals how quickly sites are modernising their bot protection and weighing conversion against security. Cross-referencing Turnstile detections with Cloudflare CDN signals also separates standalone Turnstile users from full Cloudflare deployments, a distinction worth drawing when assessing where a site sits in the Cloudflare ecosystem. For related reading, see our guide to telling if a website uses Google reCAPTCHA and the full Cloudflare Turnstile technology profile.
Frequently asked questions
What is the fastest way to tell if a site uses Cloudflare Turnstile?
Open the Network tab and filter for 'turnstile'. You will see the script load from challenges.cloudflare.com/turnstile/v0/api.js and the widget iframe from challenges.cloudflare.com. In the source, a cf-turnstile element with a data-sitekey attribute is the definitive signal.
What is the cf-turnstile div?
Cloudflare Turnstile renders into an element with the class cf-turnstile that carries a data-sitekey attribute identifying the site's Turnstile configuration. The api.js script finds these elements and injects the challenge. Finding a cf-turnstile element with a data-sitekey is a strong, characteristic Turnstile signal.
Does using Turnstile mean the site is on Cloudflare's CDN?
Not necessarily. Turnstile is a standalone CAPTCHA-alternative product that any site can embed, regardless of its CDN or hosting. So finding Turnstile confirms the CAPTCHA choice but does not by itself prove the site uses Cloudflare's CDN — check response headers (cf-ray, Server: cloudflare) separately for that.
How is Turnstile different from reCAPTCHA and hCaptcha?
Turnstile is Cloudflare's privacy-first alternative designed to be frictionless — it often verifies users without any puzzle, using browser challenges instead. Detection differs by host and class: Turnstile uses challenges.cloudflare.com and the cf-turnstile class, reCAPTCHA uses google.com/recaptcha and g-recaptcha, and hCaptcha uses js.hcaptcha.com and h-captcha.
What does it mean if a site uses Cloudflare Turnstile?
Turnstile signals a site protecting forms, logins or sign-ups from bots with a modern, low-friction, privacy-respecting challenge. Its presence indicates a security-conscious team that chose a frictionless alternative to traditional CAPTCHAs, often (though not always) within the Cloudflare ecosystem.
Analyse any website with StackOptic
Get the full technology stack, performance, security and SEO report in seconds — free.
Analyse a websiteRelated articles
How to Tell If a Website Uses Heap
Heap (Heap Analytics) autocaptures product events. Detect it via the cdn.heapanalytics.com script, the global heap object, heapanalytics.com beacons and _hp2 cookies.
How to Tell If a Website Uses Foundation
Foundation (by Zurb) is a responsive front-end framework. Detect it via its grid classes (row/columns, grid-x/cell), data-* component attributes and the foundation.css/js files.
How to Tell If a Website Uses Crisp
Crisp is a developer-friendly, affordable live-chat and messaging tool. Detect it via the client.crisp.chat/l.js script, the window.$crisp object and the CRISP_WEBSITE_ID value.