This article is more than 1 year old

Cloudflare's invisible CAPTCHA works by probing browsers with JavaScript

Beta-grade widget respects your privacy, we're promised

Cloudflare has begun a public beta test of a CAPTCHA alternative that runs quietly in the background to automatically determine if the webpage visitor is an actual human. Its goal is to allow netizens to avoid having to complete those tedious prove-you're-not-a-bot tests on websites.

The widget is dubbed Turnstile, and is described as "an invisible alternative" to today's CAPTCHA challenges. That said, it will fall back to a manual test as a last resort if it can't automagically verify a user is human. Cloudflare claims it can do all of that while maintaining a higher level of privacy than traditional CAPTCHA systems.

The internet infrastructure biz said a Turnstile test begins with the participating website running non-interactive JavaScript code that takes a look at the system and browser to determine whether it's in an automated environment or that there's likely a human at the computer. The JS code is embedded from

This script performs a bunch of background tasks in the browser, including "proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser-quirks and human behavior," Cloudflare said. 

"Turnstile also includes machine learning models that detect common features of end visitors who were able to pass a challenge before. The computational hardness of those initial challenges may vary by visitor, but is targeted to run fast."

Ultimately, the code uses a bunch of techniques to figure out if the website is being visited by a person as opposed to a software-controlled browser that's there in hope of committing ad-click fraud, signing up for a ton of accounts, or whatever.

When a human is detected, Cloudflare's backend system issues a token to the visitor's browser. When that user subsequently tries to do anything on the website – such as log in, search, or sign-up – the token can be presented to the site to confirm there isn't a bot at play, and everything will be allowed to work as expected. Since bots won't be issued these tokens, they can be stopped from doing anything further with the website.

Turnstile, said to be derived from Cloudflare's Managed Challenge feature, can be used for free on any website that wants to embed the thing, and by any netizen who doesn't block the JavaScript code, we're told.

These not-a-bot tokens – also known as Private Access Tokens, or PATs – were developed with Apple: the latter wants its operating systems to automatically issue the tokens to websites so that iOS (and soon macOS) users can skip having to complete CAPTCHAs.

For now, Turnstile can handle Apple's PATs or tokens issued by Cloudflare's backend. When more OSes support the tokens, they can be added to Turnstile, skipping the need for all that JavaScript probing, presumably.

"To date, [PATs] are only present for iOS 16 devices," Cloudflare Director of Product Reid Tatoris told us in an email. "In the future as more devices and clients take advantage of PATs, Turnstile will automatically utilize PATs anywhere they are compatible."

Outside of PATs, which are supposed to be anonymous, Cloudflare said Turnstile helps maintain user privacy by not using or looking at cookies. While Turnstile looks "at some session data (like headers, user agent, and browser characteristics) to validate users without challenging them," Cloudflare said it doesn't store data of any kind. 

Instead, Cloudflare said it worked with equipment manufacturers to build profiles of devices that help it quickly validate hardware, letting Turnstile "abstract portions of the validation process, and confirm data without actually collecting, touching, or storing that data ourselves."

We note that, like Turnstile, other CAPTCHA widgets rely on JavaScript.

Click on the squares that include a web goliath

Besides inconvenience, Cloudflare said that CAPTCHA widgets come with a privacy trade-off due to who manages 98 percent of implementations: Google. 

It was previously uncovered that Google reCAPTCHA favored Google users, giving them the benefit of the doubt as long as reCAPTCHA could determine a user was logged into a Google account. 

"Google says they don't use this information for ad targeting, but at the end of the day, Google is an ad sales company," Cloudflare said. Google previously told The Register reCAPTCHA collects hardware and software information and sends it to Google, but wouldn't say what it does with that data. 

Cloudflare used reCAPTCHA until 2020, when it dumped the service for hCaptcha, citing customer concerns and privacy issues around sending data to Google. Those concerns conveniently lined up with Google declaring it was going to begin charging heavy reCAPTCHA users, like Cloudflare, to access the service. ®

PS: Cloudflare also this week introduced what it calls a zero-trust eSIM.

More about


Send us news

Other stories you might like