Form submits even if 'Verify' box is not checked

Hi, I am using Kirby CMS with the Form Block Suite plugin. I have…

  • Added JavaScript to insert the cf-turnstile div above the submit button
  • Added the Turnstile scripts to the page template
  • Added a PHP file – based on a tutorial – to support server-side validation.

All looks good on the contact form page. However, I suspect that server-side validation is not working because form submissions are allowed through even when the “Verify you are human” box is NOT checked.

Is there any way to check if server-side validation is working? Can anyone provide advice re. usage with PHP? Thanks.

I wanted to test the behavior so I did submit a form, sorry for the generic answers on it.

Checking your Turnstile configuration I saw that your site key is the testing one


which always forces a challenge on visitors. Is it possible that you are using the secret key


Which always passes all requests?


Hi, @ncormier. Yes, I got your “John Smith” submission. :wink: Thanks for taking a look.

The secret key I’m using is actually 2x0000000000000000000000000000000AA – i.e. all requests failed. I set that yesterday afternoon just whilst I try to figure out what’s going on. As submissions are getting through anyway, it’s not currently impacting user experience.

The code I’m using to integrate with PHP is taken from a tutorial and I’ve already reached out to the author for support. But I’m yet to hear back. It’s the server-side validation that’s the problem. I now know that the error code is missing-input-response and the output from Cloudflare is as follows:

Array ( [success] => [error-codes] => Array ( [0] => missing-input-response ) [messages] => Array ( ) )

The way it’s set up is that I have a separate PHP file with the validation processing code, including the secret key. The form’s action attribute targets that file. The code is currently set up to point to that page after challenge processing and the code should output either a success or failure message. If I call the page directly in the browser, I do see the error message. But the redirect isn’t happening automatically because an input response isn’t coming back from Cloudflare. That’s the bit I’m struggling with.