| ▲ | ademarre 2 hours ago | |||||||
I integrated Turnstile with a fail-open strategy that proved itself today. Basically, if the Turnstile JS fails to load in the browser (or in a few specific frontend error conditions), we allow the user to submit the web form with a dummy challenge token. On the backend, we process the dummy token like normal, and if there is an error or timeout checking Turnstile's siteverify endpoint, we fail open. Of course, some users were still blocked, because the Turnstile JS failed to load in their browser but the subsequent siteverify check succeeded on the backend. But overall the fail-open implementation lessened impact to our customers nonetheless. Fail-open with Turnstile works for us because we have other bot mitigations that are sufficient to fall back on in the event of a Cloudflare outage. | ||||||||
| ▲ | cj 2 hours ago | parent [-] | |||||||
So to bypass captcha all a user has to do is block the script from loading? I can see that working but only for attacks that aren’t targeted? | ||||||||
| ||||||||