Implement Turnstile using implicit and explicit rendering
This tutorial will explore the two primary methods of implementing Turnstile to your website via implicit or explicit rendering using a detailed explanation, a step by step implementation guide, and examples on how to help you protect your web application security while maintaining a good user experience.
- You must have a Cloudflare account.
- You must have a sitekey and secret key. You can obtain the sitekey and secret key from the Cloudflare dashboard after adding your zone to Turnstile.
- You must have basic knowledge of HTML and JavaScript. Familiarity with web development will help you follow along the tutorial.
Implicit rendering automatically displays the Turnstile widget on your webpage without additional JavaScript code. This set up is ideal for static pages where you want the widget to load immediately when the page loads.
To set up implicit rendering:
- Include the Turnstile Script: Add the Turnstile JavaScript API to your HTML file within the
<head>
section or just before the closing</body>
tag.
- Add the Turnstile widget to your HTML: Insert a
div
element where you want the widget to appear.
Once a challenge has been solved, a token is passed to the success callback. This token must be validated against our siteverify endpoint.
- Create Your Form: Turnstile is often used to protect forms on websites such as login forms or contact forms. You can embed the widget within your
<form>
tag.
An invisible input with the name cf-turnstile-response
is added and will be sent to the server with the other fields.
Explicit rendering helps you manually control when and where the Turnstile widget appears using JavaScript. This method is suitable for dynamic content, single-page applications(SPAs), or conditional rendering based on user interactions.
To set up explicit rendering:
- Include the Turnstile Script with
onload
callback: From the previous example, modify the script tag to include anonload
parameter.
- Create a container element: Add a
<div>
with an ID or class where you want the widget to appear.
- Define the callback function: In your code, define the
onloadTurnstileCallback
function.
In the code above, The Turnstile script loads and calls onTurnstileLoad
upon completion. turnstile.render()
is used to manually render the widget in the specified container. The callback function handles the response token, which you can use for server-side verification.
If the invocation is successful, the function returns a widgetId
(string). If the invocation is unsuccessful, the function returns undefined.
After rendering the Turnstile widget explicitly, you may need to interact with it based on your application's requirements. Refer to the sections below to manage the widget's state.
To reset the widget if the given widget timed out or expired, you can use the function:
Retrieve the current response token at any time:
When a widget is no longer needed, it can be removed from the page using:
This will not call any callback and will remove all related DOM elements.
Regardless of the rendering method, Turnstile tokens need to be verified using siteverify
because the front-end widget creates a cryptographically secured token. To ensure that a token is not forged by an attacker or has not been consumed yet, it is necessary to check the validity of the token using Cloudflare's siteverify API.
The siteverify
API will only validate a token once. If a token has already been checked, the siteverify API will yield an error on subsequent verification attempts indicating that a token has already been consumed.
Choosing the appropriate rendering method for Turnstile is important and effectively helps you to add it to your website while ensuring optimal performance and user experience. Both implicit and explicit rendering have their own advantages and are suited to different types of web applications. Refer to the table below that highlights the ideal use case for each of these rendering methods:
Feature | Implicit rendering | Explicit rendering |
---|---|---|
Ease of setup | Simple, minimal code | Requires additional JavaScript |
Control over timing | Renders automatically on page load | Full control over rendering timing |
Use cases | Static content | Dynamic or interactive content |
Customization | Limited to HTML attributes | Extensive via JavaScript API |
- Always verify the Turnstile response token on your server.
- Ensure your implementation is accessible to all users.
- Test your integration across different browsers and devices.
- Load the Turnstile API script asynchronously to prevent blocking.
Implementing Turnstile into your website helps improve the security of your website without compromising user experience. By understanding and implementing implicit or explicit rendering, you can choose the method that best fits your website's architecture and user interaction patterns.
- Implicit rendering is ideal for static pages with minimal JavaScript.
- Explicit rendering offers greater control for dynamic and interactive applications.
Remember to perform server-side validation of the response token to complete the authentication process securely.
- Server-side validation: A guide on how to implement server-side validation to ensure that only valid, human-generated responses are accepted by your application.
- Turnstile Analytics: A guide on how to access and interpret Turnstile analytics data, allowing you to monitor key metrics, access the number of challenges issued, and evaluate the challenge solve rate (CSR).
- Turnstile API Reference: Comprehensive documentation for the Turnstile API, providing detailed information on API operations for managing Turnstile widgets, including how to list, create, and update widgets via API calls.