惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
C
CERT Recently Published Vulnerability Notes
C
Cisco Blogs
Cloudbric
Cloudbric
The Last Watchdog
The Last Watchdog
L
LINUX DO - 热门话题
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Application and Cybersecurity Blog
Application and Cybersecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Security Archives - TechRepublic
Security Archives - TechRepublic
TaoSecurity Blog
TaoSecurity Blog
V2EX - 技术
V2EX - 技术
H
Heimdal Security Blog
S
Security Affairs
L
Lohrmann on Cybersecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
Simon Willison's Weblog
Simon Willison's Weblog
WordPress大学
WordPress大学
小众软件
小众软件
Security Latest
Security Latest
AWS News Blog
AWS News Blog
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
Engineering at Meta
Engineering at Meta
阮一峰的网络日志
阮一峰的网络日志
罗磊的独立博客
F
Full Disclosure
S
Schneier on Security
L
LangChain Blog
MyScale Blog
MyScale Blog
Know Your Adversary
Know Your Adversary
P
Privacy International News Feed
Google Online Security Blog
Google Online Security Blog
Scott Helme
Scott Helme
Stack Overflow Blog
Stack Overflow Blog
爱范儿
爱范儿
A
Arctic Wolf
Martin Fowler
Martin Fowler
B
Blog RSS Feed
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
The Register - Security
The Register - Security
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园_首页
Latest news
Latest news
F
Fortinet All Blogs
G
GRAHAM CLULEY
T
The Exploit Database - CXSecurity.com
Hacker News: Ask HN
Hacker News: Ask HN

Flavio Copes

Workers Cache: a cache in front of your Cloudflare Worker Cloudflare Drop: drag a folder, get a live site Temporary Cloudflare accounts: agents can now deploy without signing up Moondream 3.1 on Workers AI: fast vision at the edge inferencecost.dev: what will AI inference cost you at 10k users? Sitebase: all the features your website needs, in one place StackPlan: figure out where to deploy your app, and what it How the Cloudflare Pages build cache works The Summer of Code How I generate an Open Graph image for every post New: 90 free tools for developers How I added search to my static site with Pagefind How to rebuild a Cloudflare site on a schedule Cloudflare Email Workers: run code when an email arrives Cloudflare Workers: secrets and environments Cloudflare Workers observability: logs and traces Cloudflare Analytics Engine: store and query metrics The AI Workshop (July 2026 cohort) Cloudflare Cron Triggers: run a Worker on a schedule Cloudflare Durable Objects: state that lives in one place Cloudflare Queues: run work in the background Cloudflare R2: object storage without egress fees Cloudflare KV: a key-value store for your Workers Cloudflare D1: a SQL database for your Workers Serving a website with Cloudflare Workers static assets Wrangler: the Cloudflare Workers command line tool Executor: one gateway to connect your AI agent to every tool Cloudflare Workers: your first serverless function Vercel eve: an open framework for building AI agents Flue: the open framework for building AI agents Val Town: write and deploy code in seconds A hands-on guide to The Agency, a collection of AI agents The AI Workshop (June 2026 cohort) The AI Workshop (May 2026 cohort) The AI Workshop (Apr 2026 cohort)
Cloudflare Turnstile: stop bots without annoying CAPTCHAs
Flavio Copes · 2026-07-02 · via Flavio Copes

By Flavio Copes

How to protect a form from bots with Cloudflare Turnstile. Add the widget to your page and verify the token from a Worker.

~~~

The moment you put a public form online, bots find it. Sign-up forms, contact forms, comment boxes. You need a way to tell humans from scripts.

The old answer was a CAPTCHA: squint at blurry traffic lights. Turnstile is Cloudflare’s replacement. Most of the time the user does nothing at all, it just checks a box for them in the background.

It works in two halves: a widget on your page, and a check on your server. Let me show both.

Get your keys

In the Cloudflare dashboard, you create a Turnstile widget and get two keys:

  • a site key, which is public and goes in your HTML
  • a secret key, which stays on your server

For trying things out, Cloudflare has test keys that always pass. The site key 1x00000000000000000000AA and the secret 1x0000000000000000000000000000000AA are handy while you build.

On your page, load the Turnstile script and drop in a div with your site key:

<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>

<form method="POST" action="/submit">
  <input type="email" name="email" required />
  <div class="cf-turnstile" data-sitekey="your-site-key"></div>
  <button type="submit">Sign up</button>
</form>

That’s the whole frontend. The widget runs, and when it passes, it adds a hidden field called cf-turnstile-response to your form. That field holds a token.

Verify on the server

A token from the page isn’t proof on its own. A bot could fake the form post. So your Worker must ask Cloudflare “is this token real?” using your secret key.

export default {
  async fetch(request, env) {
    const form = await request.formData()
    const token = form.get('cf-turnstile-response')

    const result = await fetch(
      'https://challenges.cloudflare.com/turnstile/v0/siteverify',
      {
        method: 'POST',
        body: new URLSearchParams({
          secret: env.TURNSTILE_SECRET_KEY,
          response: token,
        }),
      }
    )

    const outcome = await result.json()

    if (!outcome.success) {
      return new Response('Failed the bot check', { status: 403 })
    }

    // The user is human, handle the form
    return new Response('Thanks!')
  },
}

The flow is: read the token from the form, POST it to the siteverify endpoint with your secret, and check outcome.success. Only then do you trust the submission.

Keep the secret key as a Cloudflare secret, not in your code:

npx wrangler secret put TURNSTILE_SECRET_KEY

Why I like it

Turnstile is free, it’s privacy-friendly, and for real users it’s usually invisible. No puzzles, no friction.

The one rule to never break: always verify the token on the server. The widget on its own can be bypassed. The server check is what actually stops the bots.

The full reference is in the Turnstile docs.

~~~

Related posts about cloudflare: