Cloudflare Turnstile Key
Service Name: Cloudflare Turnstile
Service Description: Cloudflare Turnstile is a privacy-first CAPTCHA alternative that protects websites from spam and abuse. It uses non-interactive challenges to verify legitimate users while providing a seamless experience.
Service Address: https://www.cloudflare.com/products/turnstile/
Validation Type: API Auth
IP Allow list: Does not exist at the secret level, but Cloudflare offers IP-based access rules at the service level.
Secret Access Scope: Grants access to create and manage Turnstile challenges, verify user responses, and access analytics for your Turnstile implementation.
Secret Revokement URL: https://dash.cloudflare.com/?to=/:account/turnstile
Secret Example: 0x4AAAAAAABnRqFuXXXXXXXXXXXXXXXXXX
Suspicious Activity Investigation Instructions:
- Review Cloudflare logs for unusual verification patterns or high failure rates
- Check for unexpected spikes in Turnstile challenge requests
- Monitor for API calls from unauthorized domains or IP addresses
- Examine analytics for abnormal geographic distribution of verification attempts
- Look for attempts to bypass the Turnstile verification system
Mitigation Instructions:
- Log in to your Cloudflare dashboard at https://dash.cloudflare.com/
- Navigate to the Turnstile section
-
Locate the compromised site key
-
Delete the compromised key and create a new one
- Update all implementations with the new site key
- Consider implementing additional security measures like domain restrictions
- Review and update your allowed domains list to restrict where the key can be
used
- Monitor the new key for any suspicious activity