The Best Cloudflare Turnstile Alternative

In this article, we will take a look at Turnstile, a bot protection service provided by Cloudflare, and explore potentially superior alternatives to it. We will discuss the features and limitations of Cloudflare’s Turnstile service from various perspectives, particularly with regard to universal browser support, accessibility, and privacy compliance.

Overview of Cloudflare Turnstile

Cloudflare Turnstile is a relatively new CAPTCHA solution on the market and hasn’t seen widespread adoption outside of existing Cloudflare customers. Cloudflare offers a wide variety of services and solutions for website owners, but most are only available to Cloudflare customers of Cloudflare DNS. Cloudflare’s main product is Cloudflare DNS, which is a reverse proxy with inbuilt DDoS and bot protection. Turnstile has been part of this all-in-one solution by Cloudflare for a while but has recently been made available to everyone. While Cloudflare DNS is a powerful solution for many site owners, it requires all website traffic to be proxyed through Cloudflare, which acts as a man-in-the-middle. All traffic is routed through one of Cloudflare’s data centers, decrypted there, and then forwarded to your web server. While Cloudflare advertises Turnstile as “Cloudflare’s smart CAPTCHA alternative” and that Turnstile “stops abuse. It aims to eliminate the manual user tasks used by traditional CAPTCHAs, which seems to be more marketing than anything else. Many of the popular CAPTCHA options such as hCaptcha and Google reCAPTCHA have already adopted similar so-called passive CAPTCHAs or invisible CAPTCHAs, which come with non-intrusive browser challenges and only present visual challenges to web visitors they deem suspicious. They all aim to be frustration-free CAPTCHAs and enable so-called CAPTCHA-free web experiences.

The Need for an Alternative – Is It Cloudflare’s Smart CAPTCHA Alternative?

Cloudflare offers a massive conglomerate of features for businesses looking for an all-in-one solution for their website. Cloudflare Turnstile is only a specific part of that, and right now there is no financial incentive for Cloudflare to focus on its development. While it’s a free service, it’s in Cloudflare’s interest to make you switch to using their full Cloudflare CDN feature suite. It is a common strategy by companies to make their customers dependent and effectively lock them into their feature suite with no easy way to switch to a different service. Not everyone uses the latest devices, operating systems, and browsers. There are many people using older browsers, computers, or devices such as smartphones running older versions of Android or iOS. In order for Cloudflare Turnstile to work properly, website visitors are required to use a current version of a major browser. Turnstile does not support older devices, older versions of major browsers, alternative browser vendors, nor Internet Explorer. In short, Turnstile does not provide universal browser support. Site visitors using older browser versions or older devices, such as many Android smartphones, will effectively be locked out. This is a major problem that leads to the exclusion of Internet users who can’t afford or don’t want to use the latest devices. While Cloudflare Turnstile does not use visual puzzles that have to be solved manually, it still requires the user to check a box to solve the CAPTCHA, depending on whether it deems the user suspicious. Because this can be a problem for web visitors who rely on screen readers or other accessibility tools, Cloudflare advertises that visually impaired web visitors can obtain a pre-clearance token from an external service. This token confirms visitors have passed the CAPTCHA without any interaction, but this still creates a barrier for valid users, and it’s unclear where these tokens can be obtained. Cloudflare is a US company that operates data centers around the world. As a Cloudflare customer you typically have little control over which data center is serving your traffic. The same goes for Cloudflare Turnstile. While Cloudflare typically chooses the datacenter closest to the user, this is not guaranteed, and stored data is typically replicated across all locations. This makes it difficult to confidently define where data is stored by Cloudflare Turnstile, which can be a problem for site owners looking to comply with privacy standards such as GDPR, CCPA, and HIPAA. Additionally, Cloudflare Turnstile doesn’t offer a separate privacy policy or terms of service. When using Cloudflare Turnstile, you have to read and understand the terms and privacy policy for the whole Cloudflare feature suite. This privacy policy covers many topics, including large amounts of personal data collected, and never explicitly mentions the use of Cloudflare Turnstile. Therefore, it is confusing and hard to tell what data is collected, how it’s processed, and where it’s stored. The privacy policy on the CAPTCHA itself, that web visitors will see on your site also leads to that privacy policy, which may unsettle your visitors. This can lead to data privacy concerns on the part of your web visitors and a loss of reputation. Again, this shows that Turnstile is not a core product or focus for Cloudflare. It’s more likely a mechanism for them to get more websites onto Cloudflare DNS, further centralizing the web. In 2022, 19% of all websites were using Cloudflare, which creates a single point of failure for a huge part of the internet. If Cloudflare goes down, all of those Cloudflare customer websites will go down too. In the case of a separate CAPTCHA service, the website itself will continue to run even if this CAPTCHA service goes down. Outages happen from time to time, like on October 30, 2023, when a Cloudflare outage caused many popular sites that millions of people depend on, like npm.com, discord.com, shopify.com, or gitlab.com, to go down.

The Search for Cloudflare Turnstile Alternatives

What Are We Looking for in Cloudflare Turnstile Alternatives?

When looking for a superior CAPTCHA alternative to Cloudflare Turnstile to protect your forms from unwanted form submissions, there are a few factors that are important to consider. These include user experience, accessibility, privacy, availability, and overall security. From a user experience and accessibility standpoint, we are looking for Cloudflare Turnstile alternatives that interfere with the user experience as little as possible, such as CAPTCHA-free web experiences. We don’t want visitors to have to solve visual puzzles by hand, and at best, not have to interact with the CAPTCHA at all. While Cloudflare Turnstile does not use visual challenges, it still requires the user to manually interact with the CAPTCHA in fallback cases. This leads to potential accessibility issues. CAPTCHAs that work completely in the background, do not slow down the user, and need no interaction would be optimal. This would provide the best user experience and make CAPTCHAs accessible to all visitors, including the elderly and those with health conditions and disabilities. An important requirement for a CAPTCHA is universal browser support, which will ensure that it works on all browsers and devices. There are still people who use older browsers like Internet Explorer or older computers and smartphones like many Android devices or iPhones. It’s important to ensure that these users will be able to pass the CAPTCHA and not be locked out of your online services. The privacy and data protection mechanisms are also important. We don’t want a third party collecting end-user information without transparency into how that data collection is handled and where it is stored. While Cloudflare Turnstile advertises itself as a privacy-preserving alternative to traditional CAPTCHA providers like Google reCAPTCHA or hCaptcha, it is not clear what this means in practice. Searching through a long privacy policy to find the sections relevant to the use of the CAPTCHA is a bad experience for website administrators and unacceptable for valid users. The main job of a CAPTCHA is, obviously, to protect websites from unwanted requests, malicious traffic, bots, and spam. When choosing a CAPTCHA service, security is an important factor. We want CAPTCHAs to protect web forms like login pages, contact forms, registration forms, and checkout processes and prevent automated bot attacks. Overall, we want CAPTCHA capabilities to be a central part of the business of the CAPTCHA provider’s business. We don’t want it to be a second-class citizen in a big pile of features that they aren’t interested in. There should be a real incentive for the company behind the CAPTCHAs to constantly maintain and improve it.

Introducing Friendly Captcha: A Cloudflare Turnstile Alternative

What is Friendly Captcha?

Friendly Captcha is an EU-based CAPTCHA service with a focus on universal browser support, accessibility and privacy. It relies on a sophisticated proof-of-work-based algorithm to generate invisible, cryptographic puzzles that the user’s device solves in the background to prove that it is not a malicious attacker, bot, or spambot. These cryptographic puzzles are used in combination with advanced risk signals and difficulty scaling to provide bot protection and spam protection for web interactions and forms such as logins, checkout processes, or contact forms. Instead of visitors having to manually solve CAPTCHA challenges like clicking on cars or traffic lights, Friendly Captcha works completely in the background and is invisible. The impact on the UX is minimal, and human visitors should rarely have to wait more than a few seconds. Usually, the invisible CAPTCHA is solved before the visitor has even filled out the form. This way, Friendly Captcha is accessible to all web visitors and doesn’t degrade the user experience, while still protecting you from unwanted spam entries and bots. For example, without protection, bots can take over accounts through credential stuffing attacks by testing stolen usernames and passwords.

How Friendly Captcha Compares to Cloudflare Turnstile

Now we need to check if Turnstile is really Cloudflare’s “smart CAPTCHA alternative”. From a security standpoint, Friendly Captcha and Cloudflare Turnstile are similar. Cloudflare uses risk signals to check for potential bots. Friendly Captcha uses cryptographic puzzles that the end user’s device must solve in the background and additional risk signals to scale these non-intrusive browser challenges. Friendly Captcha and Cloudflare Turnstile can both protect your web forms from unwanted requests and malicious traffic. Both providers adapt the actual challenge outcome to the individual browser by using different technical approaches. User Experience and accessibility wise there are differences between Friendly Captcha and Cloudflare Turnstile. While both will not demand the user to manually solve a visual puzzle, Cloudflare Turnstile may still ask the user to manually interact with the CAPTCHA. Cloudflare says most visitors will have a passive experience, but it’s not clearly defined how often manual interaction with Turnstile is required. Not everyone uses the latest devices, operating systems, and browsers. Many people use older browsers, computers, or devices such as smartphones running older versions of Android or iOS. Turnstile does not support older devices, older versions of major browsers, alternative browser vendors, nor Internet Explorer. Site visitors using older browser versions or older devices, such as many Android smartphones, will be effectively blocked from using your services. Friendly Captcha offers universal browser support and aims to support every browser and device released after Internet Explorer 11. This ensures that your website visitors don’t get locked out. Cloudflare Turnstile scans visitors and automatically selects from a rotating set of CAPTCHA challenges based on telemetry and user behavior. When site owners use pre-clearance mode to integrate Turnstile with the Cloudflare WAF, a cf_clearance cookie is used, which makes a fetch request to a special endpoint of the domain. Friendly Captcha, on the other hand, can work without any user interaction or cookies. This makes it fully accessible to all visitors, including the elderly and people with impairments. Friendy Captcha is GDPR compliant out of the box. It doesn’t set any HTTP cookies and doesn’t store any local data in the browser’s persistent storage. Therefore, it doesn’t need user consent. The main differentiator between Friendly Captcha and Cloudflare Turnstile is privacy. While Cloudflare advertises Turnstile as a privacy-preserving alternative to traditional CAPTCHA providers, it is unclear what this means in practical terms. There is no privacy policy specific to Cloudflare Turnstile, but site visitors must read and make sense of the rather long privacy policy used for all Cloudflare products. This makes it difficult to understand what specific data Cloudflare Turnstile collects, how it’s processed, and where it’s stored. Friendly Captcha, on the other hand, focuses on privacy and is completely transparent about its privacy practices. For websites looking to comply with privacy standards like GDPR, CCPA, and HIPAA, the fact that Cloudflare uses data centers around the world and stored data is typically replicated across multiple locations and countries can be a problem. While requests are typically handled by data centers close to the user’s location, there is no guarantee which data centers will handle which requests and where personal information may be transferred and backed up. This can result in end-user data being transferred to hosting providers based in countries that are considered high risk under GDPR, such as the United States. Friendly Captcha is completely focused on providing the best CAPTCHA solution. Cloudflare, on the other hand, has many different products and Turnstile is not a primary focus for them.

Advantages of Friendly Captcha over Cloudflare Turnstile

GDPR Compliance: The Benefit of an EU Provider

Friendly Captcha vs. Cloudflare Turnstile is fully GDPR compliant and doesn’t require additional user consent to be used. It’s transparent about what data it collects and where it’s stored, offers a detailed data processing agreement specific to its CAPTCHA service, a dedicated EU endpoint for European users, doesn’t use HTTP cookies, and doesn’t store any local data in the browser’s persistent storage. Friendly Captcha is an EU CAPTCHA provider, built and hosted in the EU, and does not rely on any third parties outside of the EU to process end-user data. For international companies targeting EU users, as well as European companies, this means that end-user data never leaves the European Union, while your website and forms are protected from bots and spam. Compared to US-based Cloudflare, Friendly Captcha ensures that data from EU web visitors will never be processed outside the EU. No international data transfer is a huge advantage for companies looking to comply with data protection standards, such as GDPR.

Superior Usability: Making CAPTCHA Friendlier

In terms of usability and good user experience, Friendly Captcha is superior. It has little to no impact on the user experience and will never lock anyone out. While Cloudflare Turnstile doesn’t provide universal browser support and requires the user to manually interact with the CAPTCHA in some cases, Friendly Captcha works in the background. Friendly Captcha automatically scales the difficulty of the cryptographic puzzles that the end user’s device must solve in the background. Most web visitors will not notice any slowdown or difference in the user experience as the CAPTCHA is often done solving before the user is even ready to submit the form or web interaction protected by Friendly Captcha. This makes Friendly Captchas the more user-friendly alternative to Turnstile.

Full Accessibility: A Truly Inclusive Cloudflare Turnstile Alternative

While some challenges served by Cloudflare Turnstile still require manual interaction with its CAPTCHA service, Friendly Captcha works entirely in the background and is therefore accessible to everyone. It will never ask the user to check a checkbox, or worse, read distorted text. The challenges used by Friendly Captcha are solved by the user’s web browser in the background. It simply works for everyone. As a Cloudflare customer, you accept that people with disabilities or the elderly will be excluded from important website forms such as creating an account, logging in, or registering. As legitimate visitors, they are denied access to certain services because they may not be able to perform the manual tasks that are required in certain situations. The result is a poor user experience.

Privacy: Understanding the Importance of GDPR Compliance

The Challenges with Turnstile and GDPR

GDPR compliance is important for websites targeting users within the EU, in order to protect their users’ right to privacy. Without GDPR compliance, companies operating in the European Union risk significant fines. While Cloudflare Turnstile promises to be GDPR compliant, it does not provide a privacy policy and data processing agreement dedicated to Turnstile to disclose what specific information this product collects, the extent to which the data collected is also used for other Cloudflare products, and does not limit locations and subprocessors to the EU in its policies, leading to GDPR risks of data transfers to third countries. Additionally, in order to use Cloudflare Turnstile, website owners must embed a script that is dynamically loaded from Cloudflare’s servers. This means that the browser of every user visiting the website will request the Cloudflare servers, download the script, and execute it on their local computer. This is a risk because this request is already sending personal information about the user to Cloudflare’s distributed servers in different countries, and it also creates an unnecessary attack surface. Attackers can potentially modify this script and inject arbitrary code into the browser while users are visiting the site to steal their information. For EU end users, the fact that Cloudflare is a US company using data centers located outside the EU makes it more difficult for websites to be GDPR compliant. The globally distributed network of Cloudflare leads to uncertainty about what personal data is actually located in which locations and with which subcontractors in which countries. Similar issues are faced by website owners using Google’s reCAPTCHA service. Making reCAPTCHA work involves transferring personal data to Google servers outside the European Economic Union, in the United States. There have already been several rulings in this regard, such as the NS Card France case or Cityscoot case. The French privacy commission ruled that their use of Google reCAPTCHA did not meet GDPR transparency requirements and that they failed to obtain prior user consent for the US based CAPTCHA service. Both companies were fined over €100,000. While Cloudflare Turnstile, unlike Google reCAPTCHA, only uses cookies based on the configured mode, such as pre-clearance mode, it is served from a subdomain of cloudflare.com, which can be a risk. Cloudflare could potentially track visitors across all websites that communicate with Cloudflare.

How Friendly Captcha Ensures GDPR Compliance

Privacy is one of the core strengths of Friendly Captcha, and it is GDPR compliant right out of the box. It doesn’t set any HTTP cookies and doesn’t store any local data in the browser’s persistent storage. Therefore, it doesn’t require user consent. Friendly Captcha is a German company, and it only relies on data centers located in the EU. The same goes for all services that it depends on to process end-user data. This means that for EU websites embedding Friendly Captcha, no sensitive information is ever transferred to risky countries such as the US according to European regulations. Friendly Captcha discloses what information is collected, how it is processed, and what third parties are involved. There are no secrets or hidden surprises when integrating it into your website. To comply with GDPR, all you need to do is add Friendly Captcha to your privacy policy.

Usability: A Key Factor in Choosing a Turnstile CAPTCHA Alternative

Usability Challenges with Cloudflare Turnstile

While Cloudflare Turnstile claims to work completely in the background, it still requires manual user interaction with the CAPTCHA in some cases. Based on telemetry and client behavior during a session, it selects from a rotating set of browser challenges. Based on the challenge that is presented, users must take the additional step of manually performing a task required by the CAPTCHA. Not every person is using the latest devices, operating systems and browsers. There are lots of people using older browsers, computers or devices like smartphones with older versions of Android or iOS. For Cloudflare Turnstile to operate correctly, website visitors are required to use an up-to-date version of a major browser. Cloudflare’s sole solution if a website visitor encounters issues using a major browser, is to upgrade their browser. Turnstile doesn’t support older devices, older versions of major browsers, other browser vendors, Internet Explorer. Therefore Turnstile doesn’t offer universal browser support. Website visitors using older browser versions or older devices, such as many Android smartphones, effectively leading to lock-out of these users. This is a major issue leading to exclusion of Internet users that can not afford to or don’t want to use the latest devices. Overall, this results in a sub-optimal user experience. To avoid interrupting the user, the CAPTCHA should work for all users and without any user interaction.

The User-friendly Approach of Friendly Captcha

The Cloudflare Turnstile Friendly Captcha alternative is configured to require no user interaction at all. Verification starts automatically when the user fills out a protected form, and in most cases is complete by the time the user is ready to submit. The cryptographic puzzles used by Friendly Captcha work completely in the background and most visitors will not even notice that a CAPTCHA is present. Friendly Captcha can dynamically increase the difficulty of its hidden cryptographic puzzles to fight more advanced bots. This way, Friendly Captcha does not negatively affect the user experience. In most cases, the user will not even notice it and will be able to submit the protected form right away after filling it out. Friendly Captcha offers universal browser support, including older browsers, operating systems and devices. There are still people using older browsers like Internet Explorer or older devices like many Android devices or iPhones. Friendly Captcha aims to support every browser and device released after Internet Explorer 11, resulting in optimal support for a wide range of browsers and devices. This ensures that users don’t get locked out of your services.

Accessibility: Making CAPTCHA Available for All

Accessibility Issues with Cloudflare Turnstile

Cloudflare Turnstile does not use image tagging or text-based challenges for the user to manually solve, but it still requires the user to manually interact with the CAPTCHA in some cases. This makes it more accessible than traditional CAPTCHA options, but it’s still not perfect. People with visual or motorical impairments may have difficulty with manual tasks, and it also detracts slightly from the user experience. While Cloudflare Turnstile promises that web visitors with visual or motorical impairments can obtain a pre-clearance token from an external service to bypass the CAPTCHA, it is not clear how this works and which external services are meant.

How Friendly Captcha Ensures Full Accessibility

Friendly Captcha works on making the web open and accessible to everyone. It has all the requirements for full accessibility built-in and is a WCAG compliant CAPTCHA alternative. Unlike Turnstile, it never uses challenges that require manual solving by the user or any interaction at all. With Friendly Captcha, the puzzles are solved in the background and are not visible to users. As a result, valid users have a seamless experience while unwanted spam and bots are defeated. By using Friendly Captcha you contribute to an open and accessible web.

How to Transition from Cloudflare Turnstile to Friendly Captcha

Step-By-Step Guide For Transitioning

Friendly Captcha can be a drop-in replacement for Cloudflare Turnstile and traditional CAPTCHA options. With its simple API, it will only take a few minutes to make the transition for most websites and applications.

Create an Account at Friendly Captcha

To use Friendly Captcha on your website you first need to create an account at https://friendlycaptcha.com/signup. While signing up you can choose between different plans, each of them offering a free 30-day trial period.

Create an Application and API key

After creating your free account, you can log into your Friendly Captcha dashboard at https://friendlycaptcha.com and create an application and an API key. An application is used to configure how the CAPTCHA will work on your website. After you generate the application, copy the sitekey and keep it in a safe place, we will need it later. The API key is used in your backend to talk to the Friendly Captcha API and verify the CAPTCHA options. After creating the API key, copy it and keep it in a safe place, we will need it later as well.

Swap Out the Client Code

To make use of Friendly Captcha in your site you first need to replace the JavaScript library provided by Cloudflare Turnstile with the Friendly Captcha one.