Bot Protection

Sign up on Cloudflare if you haven’t already.

Go to your account -> Turnstile -> Add Widget. Then:

• Set a descriptive name
• In the domain, enter your frontend’s domain
• Set widget mode as “managed”

Then click on “create” and write down the site key and the secret key.

Start by adding the following configuration to your Nhost project:

• Config

[auth.signUp.turnstile]
secretKey = 'turnstileSecretKey'

Replace turnstileSecretKey with the secret key from the first step.

To integrate turnstile into your sign up form you can refer to Cloudfare’s documentation. Just keep in mind a few things:

• You don’t need to do any verification of the response, just pass it to the Auth service on the /signup/... request in the header x-cf-turnstile-response.
• The “server side verification” is done by the auth service and will return a forbidden status error if the header is not present or if the check didn’t pass.
• You will need to use the site key from step 1 to configure turnstile in your form

To pass the response as a header change your request to include the header. For instance:

await signUpEmailPassword(
   email,
   password,
   {
     displayName,
   },
   {
     headers: {
       'x-cf-turnstile-response': turnstileResponse,
     },
   },
 );

In the following PR you can see the changes that were needed in our very own dashboard to integrate turnstile.