Skip to content

Content Security Policy

The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page.

We recommend using the nonce-based approach documented with CSP3. Make sure to include your nonce in the api.js script tag and we will handle the rest. Cloudflare Turnstile works with strict-dynamic.

Alternatively, add the following values to your CSP header:

  • script-src: https://challenges.cloudflare.com
  • frame-src: https://challenges.cloudflare.com

We recommend validating your CSP with Google’s CSP Evaluator.

Pre-Clearance support

If you are using Turnstile in pre-clearance mode, Turnstile sets the cf_clearance cookie by doing a fetch request to a special endpoint in /cdn-cgi/ of your domain.

For this request to succeed, your connect-src directive must include 'self'.