Integrating Turnstile with the Cloudflare WAF to challenge fetch requests
Cloudflare's new product, Turnstile, is designed to protect websites from spam and abuse while minimizing the impact on user experience. It achieves this by providing a simple yet robust solution for preventing fraudulent activity without requiring users to solve CAPTCHAs or other complex security challenges. Turnstile offers two modes of operation: Managed Mode and Pre-Clearance mode. In Managed Mode, Turnstile automatically detects and mitigates threats such as bots, scrapers, and account takeovers by issuing a challenge that must be solved before accessing the protected endpoint. Pre-Clearance mode is an enhancement to Managed Mode that offers greater flexibility in handling security challenges. In this mode, Turnstile issues turnstile tokens upon solving a challenge once per session. These tokens are automatically applied to the Cloudflare zone they were issued on, and their validity time can be controlled by adjusting the "Challenge Passage" setting within the dashboard. To implement Turnstile with Pre-Clearance, developers need to override the browser's fetch() function to introspect the Cf-Mitigated header for 'challenge.' If a challenge is issued, an overlay containing a Turnstile widget will appear in the web application. Once the user solves the Turnstile challenge, the overlay disappears, and the requested API result is shown successfully. Overall, Turnstile provides an effective way to secure websites against fraudulent activity while maintaining a positive user experience. It offers a range of features and customization options that make it suitable for various use cases across different industries.
Company
Cloudflare
Date published
Dec. 18, 2023
Author(s)
Adam Martinetti, Benedikt Wolters, Miguel de Moura
Word count
1445
Language
English
Hacker News points
None found.