Common mistake
Forms often render a captcha but still accept API requests without a token. Bots do not need the browser; they can POST directly.
- Empty frontend token
- No backend verify
- Missing secret bypass
- No honeypot
Cloudflare security
Turnstile needs server-side verification, not just a frontend widget
A captcha widget is only UI if the backend does not verify the token or silently bypasses missing secrets.
6 min readCorrect implementation
The frontend renders Turnstile with a public site key. The backend verifies the token with Cloudflare before sending email.
- Public site key
- Server-side secret
- Fail-closed production
- Localhost bypass for development
Security ROI
A spam-resistant contact form keeps sales inboxes cleaner and reduces abuse risk.
- Less spam
- Less filtering time
- Fewer useless requests
- Easier audit