Using turnstile on a static website

Hi there,

While it seems to be really easy to use on Wordpress how can I use turnstile on my static website.

I have added the client side code on the form but where I need to put the server side key since there is no backend. I do use a server which supports php, does this helps?

Any advice on how to setup this will be great


I’m in a similar situation. Whatever form processing script you use on your server is where the server-side verification needs to go. I use FormMail, so I was considering “tweaking” FormMail to do the Turnstile server verification.

1 Like

Hi @twilliams

I think the documentation is not that helpful if you are not techy. for Hcapthca I place the site key in the frontend and the secret key in the form.php on a vis and on cloudflare pages I add the secret key of Hcaptcha in the form worker.

But really confused with this turnstile, a little guidance would actually help but seems like this topic is not given much attention. DO you think I should wait for a response or just abandon it to go back to hcaptcha


Well, if you’re using a PHP script to process your form now, that script would need to be updated to do the server-side token verification. That shouldn’t be hard to do BUT if you’re not a PHP developer or aren’t comfortable with modifying PHP code, it might be harder for you to implement Turnstile.

So, maybe hire a PHP developer to make the changes for you? Or maybe look at your form.php script to see what it does the hCAPTCHA and maybe attempt something similar for Turnstile?

It shouldn’t be hard to do but if you’re used to programming, it could be frustrating for you.

In my case FormMail is a PHP form processing script so when I get some time, I’ll poke around the script and find a nice place to inject some “test” Turnstile code. I tried something like this once with Google reCAPTCHA and FormMail. FormMail actually supports reCAPTCHA but I couldn’t get it to work. When I would submit the form, FormMail would crash and die and I never contacted FormMail support to find out why. (Hey, that rhymes! :smiley: )

Hope that helps!

1 Like

Hi there, thanks for your question!

If you have a setup with hcaptcha already, it should just be a case of updating URLs: Migrating from hCaptcha · Cloudflare Turnstile docs

When it references the backend, in this case it means your .php script that is performing the validation and contains the secret key. That script on the server would be considered the backend.

Apologies if the doc isn’t clearer! Are you running into any troubles after updating the values in the PHP file to point to Turnstile?

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.