Content Security Policy

If your website uses a Content Security Policy (CSP) ↗ header, you must configure it to allow Turnstile's scripts and iframes. Without the correct CSP directives, Turnstile may fail to load.

Cloudflare recommends using the nonce-based approach documented with CSP3 ↗. Include your nonce in the api.js script tag and Turnstile will propagate it to dynamically loaded resources. Turnstile works with strict-dynamic ↗.

Alternatively, add the following values to your CSP header:

• script-src: https://challenges.cloudflare.com
• frame-src: https://challenges.cloudflare.com

We recommend validating your CSP with Google's CSP Evaluator ↗.

Note

You cannot set your own CSP and/or Referer-Policy via meta tags or Transform rules in challenge pages.

Pre-clearance support

If you are using Turnstile in pre-clearance mode, Turnstile sets the cf_clearance cookie by doing a fetch request to a special endpoint in /cdn-cgi/ of your domain.

For this request to succeed, your connect-src directive must include 'self'.