Cloudflare recently announced that Turnstile is now generally available and free for everyone. Designed as an alternative to traditional challenge-response tests, Turnstile is a checkbox designed to preserve user privacy, stop bots, and enhance the user experience.
Introduced in preview one year ago as a "user-friendly, privacy-preserving alternative to CAPTCHA", Turnstile relies on machine learning models that detect common features of end visitors who have successfully completed a challenge before.
Source: Cloudflare blog
Turnstile chooses from a rotating suite of browser challenges to check that visitors to a webpage are not bots. According to the documentation, the computational hardness of those initial challenges may vary by visitor.
The service leverages the same technology behind Managed Challenge but it allows customers to run challenges anywhere on their site without requiring the use of Cloudflare’s CDN. Benedikt Wolters, technical lead at Cloudflare, Maxime Guerreiro, principal software engineer at Cloudflare, and Adam Martinetti, product manager at Cloudflare, write:
Now that we’ve eliminated CAPTCHAs at Cloudflare, we want to make it easy for anyone to do the same, even if they don’t use other Cloudflare services. We’ve decoupled Turnstile from our platform so that any website operator on any platform can use it just by adding a few lines of code.
Troy Hunt, founder and CEO of Have I Been Pwned, shows how to fight API Bots with Turnstile and comments:
I don't know exactly what Cloudflare is doing in that challenge (...) What I do know is that Cloudflare sees about 20% of the internet's traffic and because of that, they're in an unrivaled position to look at a request and make a determination on its legitimacy.
To allow Turnstile to function properly, the Turnstile requires the following script snippet in the <head> element:
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
The documentation shows how to initialize and customize the Turnstile widget via implicit or explicit rendering and how to validate the server-side response.
According to Cloudflare, Turnstile is designed to be privacy-focused and it doesn’t rely on tracking user data to determine if a user is a robot, meeting the ePrivacy Directive, and GDPR and CCPA compliance requirements. Discussing how Turnstile compares to CAPTCHA, Wolters, Guerrero, and Martinetti add:
For over one year, we used our Managed Challenge to rotate between CAPTCHAs and our own Turnstile challenge to compare our effectiveness. We found that even without asking users for any interactivity at all, Turnstile was just as effective as a CAPTCHA.
While some developers question the effectiveness of the solution, Dominic Kirby, director of cloud services at Pax8, comments:
I've been trying out Cloudflare Turnstile on some of my projects and I really like it! Definitely worth a look to replace other, less friendly bot fighting tools for your inputs.
Osma Ahvenlampi, an independent consultant, adds:
The idea of CAPTCHA was to put something on web pages bots can't pass, but humans can. We know this sucks because bots can read text and classify images now.
Turnstile Enterprise includes SaaS platform support and a visible mode without the Cloudflare logo. A pay-as-you-go option for advanced features is expected in early 2024. The source code of a demo is available on GitHub.