Cloudflare Turnstile

Cloudflare's CAPTCHA replacement that verifies visitors without showing challenges. Uses browser signals for invisible verification.

1 detections
1 websites tracked
Updated 25 May 2026

Websites Using Cloudflare Turnstile

What Is Cloudflare Turnstile?

Cloudflare Turnstile is a privacy-first, "CAPTCHA-free" bot challenge that website owners embed to verify that visitors are human, without forcing them to identify traffic lights or crosswalks. Launched by Cloudflare in 2022 and made generally available shortly after, Turnstile is Cloudflare's answer to the friction and privacy concerns of traditional image-based CAPTCHAs. It runs a series of lightweight, non-interactive browser checks in the background and issues a verification token, typically without ever interrupting the user.

Answer-first: if a website verifies you are human using a small Cloudflare widget that mostly shows a brief "Verifying..." state instead of an image puzzle, and the script loads from challenges.cloudflare.com, the site is using Turnstile. It competes directly with Google reCAPTCHA and hCaptcha but markets a frictionless, puzzle-free experience.

A note on sourcing: Cloudflare's own product announcements and developer documentation describe Turnstile's design goals (no puzzles, privacy preservation, availability to any site even without using Cloudflare's other services). This profile reflects those public statements and Turnstile's observable behavior. Because Cloudflare iterates on its products, verify exact mode names and behavior against the current Turnstile documentation on the Cloudflare developer site.

How Cloudflare Turnstile Works

Turnstile replaces a single hard puzzle with a rotating set of small, non-interactive challenges that run in the visitor's browser. The overall flow:

  1. Widget load. The page loads Turnstile's JavaScript API from challenges.cloudflare.com and renders a widget tied to a public site key.
  2. Background checks. Turnstile runs lightweight browser-environment tests and proof-of-work style challenges, drawing on signals Cloudflare already understands from operating a large global network.
  3. Token issuance. When the visitor passes, Turnstile produces a one-time response token. Most legitimate users never see a puzzle, just a brief verifying indicator.
  4. Server-side validation. The site's backend posts that token, plus a secret key, to Cloudflare's siteverify endpoint. Cloudflare returns a pass/fail result. As with other modern challenges, the security decision is made server-side, so a bot cannot fake success purely in the browser.

Turnstile is designed to leverage Cloudflare's existing visibility into web traffic. That network-scale context is part of why it can frequently decide a session is legitimate without showing anything intrusive.

The mechanics that replace the puzzle are worth spelling out. Instead of asking a human to solve something a bot finds hard, Turnstile asks the browser to perform small tasks and prove characteristics that automated clients struggle to fake convincingly. These can include lightweight computational challenges (a small amount of proof-of-work), checks on the browser environment, and behavioral signals gathered during the brief verification window. Each is individually modest, but rotated and combined they raise the cost of automated abuse without burdening the user. When a session looks risky, the managed mode can escalate to a visible, but still non-puzzle, interactive widget rather than dumping the visitor into an image grid.

As with hCaptcha and reCAPTCHA, it is important to be clear about Turnstile's scope. Turnstile attests that a particular client completed a challenge and produces a token your backend must verify; it is not, by itself, a firewall or a rate limiter. An endpoint that an attacker can call directly, bypassing the page that loads the widget, is not protected unless the backend insists on a valid Turnstile token for that action. Used correctly, Turnstile is one layer in a defense-in-depth strategy that also includes server-side validation and, frequently, Cloudflare's network-level protections.

How to Tell if a Website Uses Cloudflare Turnstile

Turnstile is straightforward to detect because, like other challenge widgets, it loads identifiable third-party assets and renders recognizable markup.

Script domains and network requests

The defining signal is the API script served from Cloudflare's challenges subdomain:

https://challenges.cloudflare.com/turnstile/v0/api.js

Open DevTools, switch to the Network tab, reload, and filter for challenges.cloudflare.com. You will see the turnstile/v0/api.js request and follow-up requests as the widget runs its background checks. If the widget renders, it is hosted inside an iframe from challenges.cloudflare.com.

HTML markup and the data-sitekey attribute

Use View Source or the DevTools Elements panel and search for the Turnstile container. The widget conventionally renders into a div like:

<div class="cf-turnstile" data-sitekey="0x4AAAAAAA..."></div>

The pairing of the cf-turnstile CSS class with a data-sitekey attribute is a precise, specific tell. The site key is public by design, so its presence here is expected.

JavaScript globals in the console

After the API script loads, Turnstile exposes a global object. In the DevTools Console, type:

turnstile

If Turnstile is active, this returns an object with methods such as render, execute, getResponse, reset, and remove instead of undefined. That confirms the script is not just present but initialized.

Cookies and form behavior

Turnstile is intentionally light on tracking and does not rely on cookies to follow users across sites. The most reliable behavioral signal is on submit: forms protected by Turnstile carry a hidden field named cf-turnstile-response containing the token, and the backend round-trips it to Cloudflare for verification. Watch the form action and the outbound request to confirm the token is being validated server-side.

Distinguishing Turnstile from the Cloudflare CDN

It is easy to confuse Turnstile (an opt-in widget a developer adds to a specific form) with Cloudflare's broader Managed Challenge / interstitial that appears when a whole site is proxied through Cloudflare. They are related but distinct: Turnstile is embedded deliberately on a page, while the full-page challenge is a network-level decision. A site can use one, the other, or both. To untangle whether a site is merely behind the Cloudflare CDN versus actively embedding Turnstile, see how to tell if a website uses Cloudflare or another CDN.

Tools that automate detection

  • View Source / DevTools confirm the cf-turnstile div, the api.js request, and the turnstile global.
  • Network tab reveals the challenges.cloudflare.com traffic and the verification iframe.
  • Wappalyzer and similar extensions detect Turnstile automatically.
  • Because Turnstile is frequently invisible and may be combined with a CDN-level challenge, server-side analysis is the most dependable approach. StackOptic examines scripts, the request graph, and markup from the server side to confirm Turnstile and separate it from Cloudflare's network layer. For manual context, see how to tell if a website uses reCAPTCHA and how to protect your website from bots and scrapers.

Key Features

  • No image puzzles. Most visitors complete verification without interaction, reducing friction and protecting conversion.
  • Managed and non-interactive modes. Turnstile can run in a managed mode that adapts to risk, a non-interactive mode that never blocks, or an invisible mode with no visible widget.
  • Privacy preservation. It avoids cross-site tracking cookies and minimizes data collection.
  • Free for any site. Turnstile can be used even by sites that do not route their traffic through Cloudflare.
  • Server-side verification. The siteverify step keeps the trust decision off the client.
  • Network-scale intelligence. Decisions draw on signals from Cloudflare's large global footprint.

Pros and Cons

Pros

  • Frictionless experience for legitimate users, which helps form and checkout conversion.
  • Strong privacy posture with no reliance on tracking cookies.
  • Free and available to any website, independent of other Cloudflare products.
  • Easy integration that mirrors familiar CAPTCHA patterns (site key, secret key, token).
  • Backed by Cloudflare's network-scale threat visibility.

Cons

  • Adds a dependency on a third-party (Cloudflare) and its JavaScript.
  • Effectiveness against the most sophisticated bots is not absolute; no challenge is.
  • Works best when Cloudflare can read meaningful browser signals; hardened or unusual clients may see more friction.
  • Newer than reCAPTCHA, so some legacy integrations and tutorials still assume Google's product.

Cloudflare Turnstile vs Alternatives

Turnstile, Google reCAPTCHA, and hCaptcha are the three most commonly detected challenge systems. The biggest differentiator is Turnstile's puzzle-free philosophy, but they also diverge on data handling, vendor lock-in, and the developer experience of integrating them.

CapabilityCloudflare TurnstilereCAPTCHA (v2/v3)hCaptcha
Visible image puzzlesGenerally nonev2 yes; v3 score-onlyYes, when risk is high
Privacy postureHigh, no tracking cookiesTied to Google ecosystemHigh, privacy-focused
Works without that vendor's CDNYesYesYes
Typical script domainchallenges.cloudflare.comgoogle.com/recaptchahcaptcha.com
Token field namecf-turnstile-responseg-recaptcha-responseh-captcha-response
CostFree for any siteFree tierFree tier

If a frictionless, no-puzzle experience is the priority, Turnstile is the standout. If you want a traditional challenge available for high-risk sessions or a revenue-share model, hCaptcha is the closest privacy-minded alternative. If you are deeply invested in Google's stack, reCAPTCHA remains a default choice. One migration advantage worth noting: all three share the same integration shape (a public site key in the page, a secret key on the server, and a token your backend verifies), so moving between them is usually a matter of swapping the script, the widget markup, and the verification endpoint rather than rearchitecting the form.

Use Cases

  • Login and signup forms. Stopping credential stuffing and fake accounts without annoying real users.
  • High-conversion checkout pages. Adding bot protection while preserving a smooth purchase flow.
  • Contact and lead-generation forms. Filtering spam without a puzzle that suppresses submissions.
  • Newsletter and waitlist signups. Preventing bot-inflated lists that damage email deliverability.
  • Sites avoiding Google dependencies. Teams that want bot protection without embedding Google's reCAPTCHA.
  • Accessibility-conscious flows. Forms where visual puzzles would create an accessibility barrier for some users.

Why Turnstile Detection Matters for Site Analysis

Spotting Turnstile on a site tells you several useful things at once. First, it signals a modern, friction-aware approach to bot protection: the operator chose a no-puzzle challenge, often to protect conversion on a signup, checkout, or lead form. Second, because Turnstile is most commonly deployed by teams already comfortable in the Cloudflare ecosystem, its presence frequently (though not always) hints that the site also uses other Cloudflare services, which you can confirm separately by examining response headers and the CDN layer.

The subtle part of detecting Turnstile is separating it from Cloudflare's network-level Managed Challenge. Both are Cloudflare products, both can present a small verifying widget, and both touch challenges.cloudflare.com, so a casual observer may conflate them. The distinguishing evidence is on the page: an embedded Turnstile renders a cf-turnstile div with a data-sitekey, exposes a turnstile global, and submits a cf-turnstile-response token from a specific form. A full-page Managed Challenge, by contrast, is an interstitial the network injects before the site even loads, not a widget a developer placed on a form. Reading those page-level signals, rather than just noticing a Cloudflare challenge appeared, is what lets you say with confidence that a developer deliberately integrated Turnstile.

Frequently Asked Questions

Is Cloudflare Turnstile really CAPTCHA-free?

For the vast majority of legitimate visitors, yes, the experience is a brief background verification rather than an image puzzle. Turnstile is explicitly designed to avoid traditional puzzles, though it can present a small interactive widget in higher-risk scenarios depending on the mode you choose.

Do I need to use Cloudflare's CDN to use Turnstile?

No. Cloudflare makes Turnstile available to any website for free, regardless of whether you proxy your traffic through Cloudflare. You only need to add the widget script and perform the server-side verification step.

How is Turnstile different from the Cloudflare challenge page I sometimes see?

The full-page Cloudflare challenge (Managed Challenge) is a network-level decision applied when an entire site is proxied through Cloudflare. Turnstile is a widget a developer deliberately embeds on a specific form. They can appear similar but are configured and triggered differently; a site may use either or both.

Does Turnstile track users across websites?

Cloudflare states that Turnstile is built to preserve privacy and does not use the kind of cross-site tracking cookies associated with some ad-tech CAPTCHAs. As always, review the current official documentation and reflect any third-party widget in your privacy policy.

How can I confirm a site uses Turnstile rather than reCAPTCHA?

Check the script domain and the token field name. Turnstile loads challenges.cloudflare.com/turnstile/v0/api.js, renders a cf-turnstile div, exposes a turnstile global, and submits a cf-turnstile-response field. reCAPTCHA uses Google domains, a g-recaptcha class, and a g-recaptcha-response field.

Curious which bot-protection and security stack a site runs? Drop the URL into StackOptic for a server-side technology report.