What is Cloudflare Turnstile?

Turnstile is Cloudflare's CAPTCHA replacement. It verifies whether a request comes from a real user or an automated bot using a non-interactive challenge that runs in the background. Most real users never see any prompt. It is free to use and available for any website, not just sites proxied through Cloudflare.

How is Turnstile different from Google reCAPTCHA?

Turnstile does not use image puzzles or require users to click anything in most cases. It also does not send user data to Google for ad tracking purposes. For businesses with any concern about third-party data collection on their users, Turnstile is the better choice. The protection is comparable; the experience is significantly better.

Will it affect the experience for real users?

In nearly all cases, no. Turnstile's challenge is invisible and completes in the background as the user loads the page. The only visible element is a small widget showing a checkmark. Users do not need to solve puzzles, select images, or interact with anything unless the system determines the request looks suspicious.

Does Turnstile stop all bots?

It stops the overwhelming majority of automated form submissions, credential stuffing, and spam. Sophisticated attackers with access to real browsers or headless browser farms can sometimes bypass it, which is why Turnstile should be one layer of defence rather than the only control on sensitive endpoints.

Is Turnstile included in Fortify managed security?

Turnstile can be deployed as part of a Fortify engagement when IronSights is involved in your web application security posture. It is also available as a standalone deployment on any website or web application regardless of your current security stack.

Edge Security · Bot Protection

Cloudflare Turnstile. Stop bots. Let people through.

Protect your forms, login pages, and APIs from automated abuse without frustrating the real users you are trying to serve.

Turnstile replaces traditional CAPTCHA with a non-interactive challenge that works invisibly for most users. No image puzzles. No audio challenges. Just clean bot protection that deploys in minutes.

Deploy Turnstile →How it works

No friction for real users

Deploys in minutes

Protects every public-facing form

How it works

Invisible to users. Impassable to bots.

Turnstile's challenge runs in the background as the page loads. Real users see a checkmark. Bots fail silently.

The token is validated server-side before any request is processed, so invalid submissions never reach your application.

Request arrives

A user or automated script submits a form, attempts a login, or hits a public endpoint on your web application.

Challenge issued

Turnstile issues a non-interactive challenge in the background. Real users pass without solving a puzzle. Bots fail.

Response verified

The challenge token is validated server-side before the request is processed. Invalid tokens are rejected before they reach your application.

Activity logged

Bot challenges and blocks are logged with timestamps and request metadata. You get a clear picture of what automated traffic is doing against your application over time.

What's protected

Every entry point, covered.

Turnstile protects any public-facing input on your website or application. Forms, login pages, registration flows, and API endpoints.

Login protection

Turnstile stops automated login attempts before they reach your authentication system and test credential lists against it.

Contact form abuse

Spam submissions via public contact, quote, and enquiry forms are blocked before they reach your inbox or CRM.

Brute force prevention

High-volume automated requests to login and password reset endpoints are stopped at the edge, before reaching your server.

Credential stuffing

Automated attempts to test username and password combinations leaked from other breaches are blocked at the challenge layer.

Content scraping

Automated scraping of pricing pages, product listings, and similar content is blocked without affecting real visitors.

Account takeover

Bots targeting account recovery flows and multi-step onboarding are caught and blocked before they finish.

API endpoint abuse

Public API endpoints and webhooks are protected from automated enumeration and data harvesting by bots.

Spam registrations

Automated account creation attempts on registration and sign-up flows are stopped without adding friction to real new users.

Why not reCAPTCHA?

Google reCAPTCHA works, but it comes with tradeoffs most businesses don't think about until they have to.

No image puzzles or interaction required for real users
No Google ad-tracking data collected from your visitors
Privacy-preserving: no fingerprinting beyond challenge verification
Free tier available with no usage limits for standard deployments
Faster page load: no heavy reCAPTCHA JS bundle to load

Explore Cloudflare WAF →

What Turnstile doesn't cover

Turnstile is an edge-layer control. It is one part of a broader application security posture, not a complete solution on its own.

Won't fix vulnerabilities in your application code
Authenticated user abuse is outside its scope
Determined attackers with real browsers can sometimes get through
Rate limiting on sensitive endpoints is still necessary
Penetration testing finds what sits behind it

What you gain

Bots out. Users in.

Four concrete outcomes from Turnstile deployment, visible from the first day it is live.

Forms protected

Every public form is protected from automated submission. Real users don't have to prove they're human.

Bot traffic blocked

Automated scripts attempting credential stuffing, scraping, and form abuse are stopped before they interact with your application logic.

User experience preserved

Unlike traditional CAPTCHAs, Turnstile works invisibly for the vast majority of real users. No image puzzles, no audio challenges.

Visibility gained

You get a clear picture of automated traffic targeting your application, with logs available for incident review or compliance.

Common questions

Turnstile questions answered.

Talk to a specialist →

What is Cloudflare Turnstile?
Turnstile is Cloudflare's CAPTCHA replacement. It verifies whether a request comes from a real user or an automated bot using a non-interactive challenge that runs in the background. Most real users never see any prompt. It is free to use and available for any website, not just sites proxied through Cloudflare.
How is Turnstile different from Google reCAPTCHA?
Turnstile does not use image puzzles or require users to click anything in most cases. It also does not send user data to Google for ad tracking purposes. For businesses with any concern about third-party data collection on their users, Turnstile is the better choice. The protection is comparable; the experience is significantly better.
Will it affect the experience for real users?
In nearly all cases, no. Turnstile's challenge is invisible and completes in the background as the user loads the page. The only visible element is a small widget showing a checkmark. Users do not need to solve puzzles, select images, or interact with anything unless the system determines the request looks suspicious.
Does Turnstile stop all bots?
It stops the overwhelming majority of automated form submissions, credential stuffing, and spam. Sophisticated attackers with access to real browsers or headless browser farms can sometimes bypass it, which is why Turnstile should be one layer of defence rather than the only control on sensitive endpoints.
Is Turnstile included in Fortify managed security?
Turnstile can be deployed as part of a Fortify engagement when IronSights is involved in your web application security posture. It is also available as a standalone deployment on any website or web application regardless of your current security stack.

Deploys in minutes

Bot protection live the same day.

Cloudflare Turnstile is one of the fastest security controls to deploy on any web application. We can configure and validate it in a single session.

Deploy Turnstile →