Frequently Asked Questions
How does Content-Security-Policy need to be configured for Turnstile?
The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page.
We recommend using the nonce-based approach documented with CSP3. Make sure to include your nonce in the api.js
script tag and we will handle the rest. Cloudflare Turnstile works with strict-dynamic.
Alternatively, add the following values to the directives:
- script-src:
https://challenges.cloudflare.com
- frame-src:
https://challenges.cloudflare.com
We recommend validating your CSP with Google’s CSP Evaluator.
What is Visitor Solve Rate?
A full Turnstile Challenge Token Flow consists of a few things:
- A challenge is rendered (issued).
- A challenge is solved on the front end and a token is harvested (solved).
- The token is passed to siteverify, and it is consumed (siteverified).
Visitor Solve Rate is the percentage of tokens that were issued but have not necessarily been siteverified compared to issued challenges.
What is API Solve Rate?
What is the difference between action and cData?
Action can be used in analytics and is more limited in size. It should identify different pages in a website where a widget is used.
Action should not contain any personally identifiable information (PII) as this is placed into the analytics.
cData is not stored in our analytics. It can contain data that may vary by each challenge instance.
Both cData and action are returned by the siteverify API if a valid token is presented.
Can a Turnstile token be used twice?
How long is a Turnstile token valid for before it is rejected by siteverify?
What happens if the user takes longer than five minutes?
turnstile.reset
function. Why does a Turnstile token need to be verified using siteverify?
Turnstile is a front-end widget that creates a token which is cryptographically secured. However, the customer cannot check the validity of the token on their end.
To ensure that a token is not forged by an attacker or has not been consumed yet, the customer needs to check the validity of a token using Cloudflare’s siteverify API.
Can the front end use siteverify?
Can I use Turnstile when developing locally?
Dummy sitekeys can be used from any domain, including on localhost
.
Cloudflare recommends that sitekeys used in production do not allow local domains (localhost
, 127.0.0.1
), but users can choose to add local domains to the list of allowed domains.
Refer to Testing for more information.
What is the length of a Turnstile token?
What is challenges.cloudflare.com, and why does my application connect to this origin?
challenges.cloudflare.com
. Can I use Turnstile to protect a React Native application?
Are there sitekeys and secret keys that can be used for testing?
Is there an API to create or manage Turnstile widgets?
Yes, you can refer to the Turnstile API documentation to manage your widgets.
I am seeing a 401 error in your console during a Turnstile security check, is this a problem?
You can safely ignore the error. It is requesting a Private Access Token (PAT) that your device or browser does not support yet.