Spam Protection

Cloudflare Turnstile

Protect your forms with Cloudflare's low-friction CAPTCHA alternative

Cloudflare Turnstile helps protect your forms from automated spam without relying on traditional image puzzles. Static Forms supports Cloudflare Turnstile on paid plans and verifies tokens server-side using your saved secret key.

Need the strategic overview?

If you're evaluating Turnstile or want a rollout checklist, read the Cloudflare Turnstile best practices guide. If you're implementing now, this page has the exact setup details.

Paid Feature

Cloudflare Turnstile is available on Pro and Advanced plans. Upgrade your plan if you want to use it in production.

Why teams choose Cloudflare Turnstile

✅ Minimal user interruption
✅ No Google dependency
✅ Strong default experience for modern sites

What Static Forms expects

✅ Cloudflare Turnstile secret key saved in dashboard
✅ Site key kept in your form HTML or frontend app
✅ Token submitted as cf-turnstile-response

Create Your Cloudflare Turnstile Widget

Open the Cloudflare dashboard

Go to Cloudflare Turnstile and create a widget for your site.

Register your domains

Add the domains where your form will run, including localhost if you want to test locally.

Copy your keys

Cloudflare gives you a site key and a secret key. The site key is public and goes in your form code. The secret key stays in Static Forms settings.

Save your secret key in Static Forms

Open Settings → CAPTCHA, switch to Cloudflare Turnstile, paste your secret key, and save.

Implementation Checklist

Create your Turnstile widget and copy both keys
Register production, staging, preview, and localhost domains as needed
Save only the secret key in Settings → CAPTCHA
Add the widget with your site key in the frontend
Confirm your form submits cf-turnstile-response
Run a real submission test before launch

Framework setup

Turnstile does not require a React package. In React and Next.js, you load Cloudflare's script, render the widget client-side, and append cf-turnstile-response before posting to Static Forms.

Framework Examples

Choose the version that matches your stack. Each example uses the correct widget script, response field, and Static Forms submission flow.

contact-form.html

Key Points

Use the site key in your HTML, not the secret key
Keep the token field name as cf-turnstile-response
Save the secret key only in Static Forms dashboard settings
Render Turnstile on the client and reset the widget after submission when you need a fresh token

Environment Variables

Keep the site key in a public frontend environment variable and save the secret key only in Static Forms settings.

Bash

React Notes

Use the explicit render script when you want to mount the widget inside a client component
Append the token as cf-turnstile-response before submitting
Reset the widget after a failed or successful submission if you need a fresh token

Troubleshooting

Cloudflare Turnstile token rejected

Make sure the token is submitted as cf-turnstile-response and that the secret key saved in Static Forms matches the widget site key you are using.

Widget does not load

Confirm the Cloudflare Turnstile script is loaded, your domain is allowed in Cloudflare, and any ad blockers or CSP rules are not blocking the Cloudflare challenge domain.

Compare providers

Want to compare options? See the Spam Protection overview, reCAPTCHA guide, and ALTCHA guide.

reCAPTCHA

hCaptcha

Spam Protection

Cloudflare Turnstile

Protect your forms with Cloudflare's low-friction CAPTCHA alternative

Need the strategic overview?

If you're evaluating Turnstile or want a rollout checklist, read the Cloudflare Turnstile best practices guide. If you're implementing now, this page has the exact setup details.

Paid Feature

Cloudflare Turnstile is available on Pro and Advanced plans. Upgrade your plan if you want to use it in production.

Why teams choose Cloudflare Turnstile

✅ Minimal user interruption
✅ No Google dependency
✅ Strong default experience for modern sites

What Static Forms expects

✅ Cloudflare Turnstile secret key saved in dashboard
✅ Site key kept in your form HTML or frontend app
✅ Token submitted as cf-turnstile-response

Create Your Cloudflare Turnstile Widget

Open the Cloudflare dashboard

Go to Cloudflare Turnstile and create a widget for your site.

Register your domains

Add the domains where your form will run, including localhost if you want to test locally.

Copy your keys

Cloudflare gives you a site key and a secret key. The site key is public and goes in your form code. The secret key stays in Static Forms settings.

Save your secret key in Static Forms

Open Settings → CAPTCHA, switch to Cloudflare Turnstile, paste your secret key, and save.

Implementation Checklist

Create your Turnstile widget and copy both keys
Register production, staging, preview, and localhost domains as needed
Save only the secret key in Settings → CAPTCHA
Add the widget with your site key in the frontend
Confirm your form submits cf-turnstile-response
Run a real submission test before launch

Framework setup

Turnstile does not require a React package. In React and Next.js, you load Cloudflare's script, render the widget client-side, and append cf-turnstile-response before posting to Static Forms.

Framework Examples

Choose the version that matches your stack. Each example uses the correct widget script, response field, and Static Forms submission flow.

contact-form.html

Key Points

Use the site key in your HTML, not the secret key
Keep the token field name as cf-turnstile-response
Save the secret key only in Static Forms dashboard settings
Render Turnstile on the client and reset the widget after submission when you need a fresh token

Environment Variables

Keep the site key in a public frontend environment variable and save the secret key only in Static Forms settings.

Bash

React Notes

Use the explicit render script when you want to mount the widget inside a client component
Append the token as cf-turnstile-response before submitting
Reset the widget after a failed or successful submission if you need a fresh token

Troubleshooting

Cloudflare Turnstile token rejected

Make sure the token is submitted as cf-turnstile-response and that the secret key saved in Static Forms matches the widget site key you are using.

Widget does not load

Confirm the Cloudflare Turnstile script is loaded, your domain is allowed in Cloudflare, and any ad blockers or CSP rules are not blocking the Cloudflare challenge domain.

Compare providers

Want to compare options? See the Spam Protection overview, reCAPTCHA guide, and ALTCHA guide.

reCAPTCHA

hCaptcha

Cloudflare Turnstile

Need the strategic overview?

Paid Feature

Why teams choose Cloudflare Turnstile

What Static Forms expects

Create Your Cloudflare Turnstile Widget

Open the Cloudflare dashboard

Register your domains

Copy your keys

Save your secret key in Static Forms

Implementation Checklist

Framework setup

Framework Examples

Key Points

Environment Variables

React Notes

Troubleshooting

Cloudflare Turnstile token rejected

Widget does not load

Compare providers

Documentation

Cloudflare Turnstile

Need the strategic overview?

Paid Feature

Why teams choose Cloudflare Turnstile

What Static Forms expects

Create Your Cloudflare Turnstile Widget

Open the Cloudflare dashboard

Register your domains

Copy your keys

Save your secret key in Static Forms

Implementation Checklist

Framework setup

Framework Examples

Key Points

Environment Variables

React Notes

Troubleshooting

Cloudflare Turnstile token rejected

Widget does not load

Compare providers

Documentation