Sturnstile pass rate drop significantly when the tab is in background, we found out a hard way today, one of our download page will open in a new tab for a brief second and client is having hard time for ~5 hours, I think we broke SLA.
Tfor turnstile: does the invisible challenge become visible and display an interactive challenge... or is the invisible challenge solely just "visible" and "invisible"?
Yat least it's not that ROBLOX CAPTCHA ("Impossible" Orbit CAPTCHA) and you have to make this for 10 times in a row if there's connection interference it can take over hundred times in a row
YCloudflare Turnstile uses recent activities to detect human/robot activity, and humans can pass this with one click (even with a keyboard mouse for people who do not have a mouse).
~how to add this site.
PHello everyone, I've been using reCAPTCHA v2 for the past year or so, but recently I wanted to checkout cloudflare's turnstile... after reading a bit I found out that cloudflare's turnstile is not very good. but I feared that this mught be fake news, so I want to ask you... how good is turnstile against bots (more specifically on mobile apps)
BI'm getting an
where my-token-here is replaced with the actual token, which I got from the turnstile client component. It's expired at the very least, and could be invalid in other ways – but why am I getting
I can share the actual token too if it's helpful; I've omitted it to keep things readable.
invalid-input-secret when attempting to validate a token with the 1x0000000000000000000000000000000AA test secret and a token from the client. I've broken it down to be able to reproduce with a curl command:where my-token-here is replaced with the actual token, which I got from the turnstile client component. It's expired at the very least, and could be invalid in other ways – but why am I getting
invalid-input-secret error message, when that's definitely not the problem, especially when using the test key that should make the token always pass?I can share the actual token too if it's helpful; I've omitted it to keep things readable.
BIs that a recent change? I believe it was working with any key when I first implemented it. It would be nice if it worked with any response, but if that's not an option, at least having a more logical error message would be helpful.
BIt broke the way we bypass turnstile for our automated tests
BIf we're using a testing key with the API, why would the value of the response matter?
BI see. In our case the use of the testing key is intentional. Could a new error message be created like
hey-you're-using-a-test-key-with-a-real-response for this instead?BIt would have saved me a lot of debugging time, and I doubt I'm the only one who's run into this
BMaybe an additional property could be added to the error message?
BOr a message added to the messages array that's already there?
BAlso, this new behavior directly contradicts what's described in the docs:
Dummy secret keys should never be used in production as it will accept any response token as valid.
F:zep_check: I will remind you in 12 hours at Dec 12, 2024 at 8:38 UTC
FReminder for @Leo: update docs
Set December 11, 2024
Set December 11, 2024
Pwhich is better for defending against bots? turnstile or reCAPTCHA v2? I've heard the turnstile is bad, while others say it's a top competitor. what does your experience say?
Kwhat is the expected behavior for turnstile when developing locally and using one of the test site ids? I'd love to be able to see what it looks like so I can add proper spacing etc for when its visible to users. But locally it only pops up for a fraction of a second then goes away. Maybe is is because I see a 300030 error in the console? Or maybe that's unrelated?
FDo we know if there will be some updates related to the Turnstile Analytics? 
Particular, would be useful to have a way to see or filter by hostname since the same widget can be used on multiple zones and hostnames.
Despite we could use lables on each website where we're using it, to somehow identify it ...
Or maybe this is only available to the Enterprise Turnstile?
Particular, would be useful to have a way to see or filter by hostname since the same widget can be used on multiple zones and hostnames.
Despite we could use lables on each website where we're using it, to somehow identify it ...
Or maybe this is only available to the Enterprise Turnstile?
N@penny It’s hard to test what gets through, but what I can tell you is that in my testing reCAPTCHA on the page that I tested on doubled the page size and load time. Even worse adding it to something like Gravity forms it often loads multiple times on a page. Turnstile was way better I think adding about 20%. I was testing on Wordpress using Gravity forms.
Pgood stuff thanks
CSince there is a cap of 10 widgets per account, should I even focus on adding turnstile to my client contact forms, or will the normal bot mitigation be enough?
CI get the limit of 10 for a free account, but I do not understand why the next upgrade for turnstile is on Enterprise. How do you guys have yours set up?
TDoes the 10 hostname limit apply to Cloudflare for SaaS? I have a multi tenancy app with each customer having a domain 
TWell that's unfortunate. Is this an oversight and something that might change or intentional?
TIs there official word on that or just an assumption? It kinda seems like CloudFlare for SaaS use cases might have been overlooked in that pricing
TAll other features are based on the CloudFlare zone domain rather than "the for SaaS custom domain" e.g. rules, waf, workers, etc
e.g. rules, waf, workers, etcTYes I've seen them. As I said, most other features go off the fallback/zone hostname (not individual hostnames). I'll wait to see if there's any other answers thx
TYes, I'm aware of how it currently works. Which is why I asked in this channel if CloudFlare for SaaS use cases were overlooked and if it's something that'll change - in other words, it seems Turnstile wasn't integrated fully into CF
I appreciate the effort in your comments however they aren't constructive, thx.
I appreciate the effort in your comments however they aren't constructive, thx.
MThe alert("Erro no captcha. Por favor, tente novamente.") appears
MSolution: if (!turnstileResponse && window.turnstile) {
turnstileResponse = turnstile.getResponse();
}
turnstileResponse = turnstile.getResponse();
}
DHi all! I am customizing cloudflare turnstile for my website and when creating the widget I added the hostname values: localhost and current-hostname.test to the hostname.
but on the site itself at the address current-hostname.test I get the error [Cloudflare Turnstile] Error: 400020.
Everything is fine when developing locally on localhost
I have not found a description of the error in the doc and on the internet, does anyone know what it may be related to?
but on the site itself at the address current-hostname.test I get the error [Cloudflare Turnstile] Error: 400020.
Everything is fine when developing locally on localhost
I have not found a description of the error in the doc and on the internet, does anyone know what it may be related to?
BI have a flow that uses turnstile where I validate the hostname and the action on the validation response. I'd like force it to pass for testing, and still be able to validate the hostname and action. Now that the test secrets require a dummy token to work, it seems like this isn't possible to do. Is there a way to do it that I'm missing, or do I just need to bypass validation completely when testing?
Byes to which one?
TI told it to you in PM by big secret
I fully deobfuscated cloudflare and detected this fact inside
But where you got this info.. no idea, probably someone at Cloudflare breaks NDA
I fully deobfuscated cloudflare and detected this fact inside
But where you got this info.. no idea, probably someone at Cloudflare breaks NDA
I
Ivery real