Using Cloudflare Turnstile (Implicit form)

Implicit vs Explicit

Implicit rendering automatically displays the Turnstile widget on your webpage without additional JavaScript code. You use this for pages where you want the widget to load immediately when the page loads. (You use Explicit rendering when you wan to manually control when and where the Turnstile widget appears using JavaScript).

Obtaining the Cloudflare keys

To obtain the keys:

Cloudflare account dashboard > Turnstile > Add Widget
Widget Mode: Any, Non interactive mode is good.
Pre-clearance: Optional, not needed.
Copy your sitekey and secret keys and paste into here.

Adding to HTML (client)

Add to the header
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
Add to a form where you want to use it
  <div class="MyCloudflareTurnstileWrapper">
    <div class="cf-turnstile" data-sitekey="MY_SITE_KEY" data-theme="light"></div>
  </div>

An invisible input with the name cf-turnstile-response is automatically added and will be sent with the other form fields you use.

Customizing it – see here: https://developers.cloudflare.com/turnstile/get-started/client-side-rendering/

Adding to server

Handle the form POST
  $SendUrl = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
  $CloudflareTurnstileResponse = $_POST['cf-turnstile-response'];   //Turnstile injects a field called "cf-turnstile-response" with its token
  $RemoteIp = $_SERVER['REMOTE_ADDR'];

  $PostData  = array(
      "secret" => '$ClouflareTurnstileSecretKey'YOUR-SECRET-KEY',
      "response" => $CloudflareTurnstileResponse,
      "remoteip" => $RemoteIp
  );
  $PostData = http_build_query($PostData);

  $Response = '';
  if(function_exists('curl_init') && function_exists('curl_setopt') && function_exists('curl_exec'))
  {
    $ch =  curl_init();
    curl_setopt($ch, CURLOPT_URL, $SendUrl);
    curl_setopt($ch, CURLOPT_POST, True);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $PostData);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);        //Connect timeout in secs
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);               //Maximum time the request is allowed to take in secs
    $CurlResult = curl_exec($ch);
    curl_close($ch);
  }
  $DecodedJson = json_decode($CurlResult, True);
  
  echo "CurlResult: ";
  print_r($CurlResult);
  echo "<br>DecodedJson: ";
  print_r($DecodedJson);

  if (!is_null($DecodedJson))
  {
    //Check for succcess
    if ( (isset($DecodedJson['success'])) && ($DecodedJson['success'] === True) )
    {
      //Passed Cloudflare Turnstile check

    }
  }
USEFUL?
We benefit hugely from resources on the web so we decided we should try and give back some of our knowledge and resources to the community by opening up many of our company’s internal notes and libraries through mini sites like this. We hope you find the site helpful.
Please feel free to comment if you can add help to this page or point out issues and solutions you have found, but please note that we do not provide support on this site. If you need help with a problem please use one of the many online forums.

Comments

Your email address will not be published. Required fields are marked *