Skip to content

Cloudflare Turnstile Key

Service Name: Cloudflare Turnstile

Service Description: Cloudflare Turnstile is a privacy-first CAPTCHA alternative that protects websites from spam and abuse. It uses non-interactive challenges to verify legitimate users while providing a seamless experience.

Service Address: https://www.cloudflare.com/products/turnstile/

Validation Type: API Auth

IP Allow list: Does not exist at the secret level, but Cloudflare offers IP-based access rules at the service level.

Secret Access Scope: Grants access to create and manage Turnstile challenges, verify user responses, and access analytics for your Turnstile implementation.

Secret Revokement URL: https://dash.cloudflare.com/?to=/:account/turnstile

Secret Example: 0x4AAAAAAABnRqFuXXXXXXXXXXXXXXXXXX

Suspicious Activity Investigation Instructions:

  • Review Cloudflare logs for unusual verification patterns or high failure rates
  • Check for unexpected spikes in Turnstile challenge requests
  • Monitor for API calls from unauthorized domains or IP addresses
  • Examine analytics for abnormal geographic distribution of verification attempts
  • Look for attempts to bypass the Turnstile verification system

Mitigation Instructions:

  • Log in to your Cloudflare dashboard at https://dash.cloudflare.com/
  • Navigate to the Turnstile section
  • Locate the compromised site key

  • Delete the compromised key and create a new one

  • Update all implementations with the new site key
  • Consider implementing additional security measures like domain restrictions
  • Review and update your allowed domains list to restrict where the key can be

used

  • Monitor the new key for any suspicious activity