Cloudflare Turnstile vs reCAPTCHA
Cloudflare Turnstile launched in September 2022 as a direct response to reCAPTCHA's privacy problem. Both services are free, both are invisible to users, and both work with a simple script tag and server-side token verification. The fundamental difference is who benefits from the data: Turnstile processes signals for security only, while reCAPTCHA feeds interaction data into Google's advertising infrastructure.
In 2026 this distinction matters more than it did three years ago. GDPR enforcement is stricter, consent fatigue is real, and developers are increasingly expected to justify every third-party script on their pages. This comparison covers the technical and practical differences so you can make a defensible choice for your PHP project.
Side-by-side comparison
| Feature | Cloudflare Turnstile | Google reCAPTCHA v3 |
|---|---|---|
| Developer | Cloudflare | |
| Launch year | 2022 | 2012 |
| User interaction | Invisible — automatic challenge | Invisible — score-based |
| Free tier | Yes — unlimited with Cloudflare account | Yes — rate limits apply |
| Data collection | Minimal — security use only, no ad targeting | Extensive — feeds Google ad network |
| GDPR / Privacy | No consent banner needed in most cases | Requires cookie consent in EU |
| PHP integration difficulty | Easy | Medium — threshold tuning required |
| False positive rate | Low for most sites | Requires threshold tuning |
| CDN dependency | Cloudflare CDN | Google CDN |
Cloudflare Turnstile
Turnstile runs entirely in the browser using IP reputation, browser fingerprint analysis, and JavaScript behaviour checks. There are no image puzzles, no audio challenges, and no visible widget unless Cloudflare's risk assessment requires a brief interactive check (rare). For most users on most sites, the experience is completely transparent.
Privacy is the headline feature. Cloudflare is an infrastructure company — its business model is charging for network services, not selling advertising. Data collected by Turnstile is used exclusively for bot detection and is not shared with advertising platforms. Most EU legal teams can classify Turnstile as a strictly necessary processing activity under a DPA, which means no consent banner required for the CAPTCHA component specifically.
The free tier is genuinely free: unlimited verifications with a Cloudflare account, no credit card required. You get a site key and secret key from the Cloudflare dashboard, and you're done.
Front-end integration:
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
<div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY"></div>Turnstile injects a hidden cf-turnstile-response field into the form on successful challenge. Your PHP reads that token and verifies it server-side:
<?php
function verifyTurnstile(string $token, string $secretKey, string $remoteIp = ''): bool
{
$data = ['secret' => $secretKey, 'response' => $token];
if ($remoteIp) {
$data['remoteip'] = $remoteIp;
}
$context = stream_context_create(['http' => [
'method' => 'POST',
'header' => 'Content-Type: application/x-www-form-urlencoded',
'content' => http_build_query($data),
]]);
$result = file_get_contents(
'https://challenges.cloudflare.com/turnstile/v0/siteverify',
false,
$context
);
$response = json_decode($result, true);
return $response['success'] ?? false;
}
// Usage
if (!verifyTurnstile($_POST['cf-turnstile-response'], 'YOUR_SECRET_KEY', $_SERVER['REMOTE_ADDR'])) {
http_response_code(403);
exit('Bot detected.');
}Pros: fully invisible, privacy-respecting, no GDPR consent banner required for most configurations, generous free tier, pass/fail result with no threshold tuning.
Cons: hard dependency on Cloudflare's network; newer dataset than Google's; if Cloudflare has an outage, your forms stop accepting submissions.
Google reCAPTCHA v3
reCAPTCHA v3 runs in the background on every page load and assigns each user interaction a score from 0.0 (almost certainly a bot) to 1.0 (almost certainly human). Your PHP code receives this score and decides what to do — pass, block, or trigger a secondary check. This gives you fine-grained control, but it also means you have to tune a threshold and accept that you will occasionally block legitimate users or pass marginal bots depending on where you set it.
<?php
function verifyRecaptchaV3(string $token, string $secretKey, float $threshold = 0.5): bool
{
$url = 'https://www.google.com/recaptcha/api/siteverify?'
. http_build_query(['secret' => $secretKey, 'response' => $token]);
$result = file_get_contents($url);
$response = json_decode($result, true);
return ($response['success'] ?? false) && ($response['score'] ?? 0) >= $threshold;
}
if (!verifyRecaptchaV3($_POST['g-recaptcha-response'], 'YOUR_SECRET_KEY', 0.5)) {
exit('Bot detected or low confidence score.');
}The privacy situation is straightforward: Google processes every page view through reCAPTCHA and uses that data as a signal in its broader user-profiling infrastructure. This is not a conspiracy theory — it is documented in Google's terms of service and is why EU data protection authorities consistently require consent banners for reCAPTCHA. If you have EU users, plan for a cookie consent implementation.
On threshold tuning: 0.5 is a reasonable starting point. Security-sensitive forms (login, password reset, payment) can justify 0.7, but test this against real traffic before deploying — a threshold that's too aggressive will produce false positives and drive away legitimate users. You can log the raw scores for a week before enforcing the block to calibrate.
Pros: industry-leading bot detection accuracy backed by Google's search, Gmail, YouTube, and Chrome datasets; 14 years of production use; widely documented.
Cons: data feeds Google's ad network; GDPR consent required in EU; score threshold requires ongoing tuning; some users with privacy-focused browsers or extensions may have reCAPTCHA blocked, causing silent failures.
GDPR and privacy in practice
The legal distinction comes down to third-party cookies and data purpose. reCAPTCHA loads scripts from google.com and sets cookies in the .google.com domain. Under the EU's ePrivacy Directive, third-party cookies that contribute to user profiling require prior informed consent — even if the primary purpose is security. Many EU supervisory authorities have issued guidance specifically naming reCAPTCHA. The practical result is that nearly every EU-facing site using reCAPTCHA needs a consent banner that gates CAPTCHA loading, which degrades UX significantly.
Turnstile's data processing happens under the site owner's DPA with Cloudflare. Cloudflare's sub-processor agreements are structured around infrastructure services, not advertising. Most DPAs allow strictly functional processing (including bot detection) without requiring end-user consent, because there is no user profiling for commercial purposes. In practice, this means Turnstile-powered sites can load the challenge without a consent gate. You should still disclose it in your privacy policy, but the consent banner for CAPTCHA specifically is typically not required.
Which is harder to bypass?
Honest answer: Google probably has a marginal accuracy edge. reCAPTCHA v3 draws signals from Google's full internet dataset — search behaviour, Gmail, YouTube watch history, Chrome usage patterns. That is an extraordinarily rich signal set that no other company can replicate. Sophisticated bot operators who invest in behavioural evasion will find reCAPTCHA harder to fool.
That said, Cloudflare handles over 20% of all internet traffic. Its network-level signals — IP reputation, autonomous system behaviour, global traffic patterns — are also substantial. For the overwhelming majority of PHP projects (contact forms, registration flows, comment systems, checkout pages), both services will stop 99%+ of automated form spam. The difference is academic unless you are operating at a scale where adversaries are specifically targeting your infrastructure with human-like bot farms.
PHP migration from reCAPTCHA to Turnstile
The migration is straightforward — both services use the same token-passing pattern. Here are the four steps:
Step 1: Create a free Cloudflare account at dash.cloudflare.com. Navigate to Turnstile, add your site, and copy the site key and secret key. You do not need to proxy your domain through Cloudflare.
Step 2: Replace the front-end script tag and widget div.
Step 3: Update the server-side verification — change the endpoint URL, change the POST field name, and remove score threshold logic.
Step 4: Deploy and test with a real browser to confirm the hidden field is being submitted correctly.
Before (reCAPTCHA v3):
<?php
$token = $_POST['g-recaptcha-response'];
$endpoint = 'https://www.google.com/recaptcha/api/siteverify';
$response = json_decode(file_get_contents(
$endpoint . '?' . http_build_query(['secret' => $secret, 'response' => $token])
), true);
$passed = ($response['success'] ?? false) && ($response['score'] ?? 0) >= 0.5;After (Turnstile):
<?php
$token = $_POST['cf-turnstile-response'];
$endpoint = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
$context = stream_context_create(['http' => [
'method' => 'POST',
'header' => 'Content-Type: application/x-www-form-urlencoded',
'content' => http_build_query(['secret' => $secret, 'response' => $token]),
]]);
$response = json_decode(file_get_contents($endpoint, false, $context), true);
$passed = $response['success'] ?? false;
// No score threshold — Turnstile is pass/failMost developers complete this migration in under 30 minutes including testing. See PHP Turnstile integration documentation for the full reference.
Related: CAPTCHA alternatives overview · reCAPTCHA vs hCaptcha · PHP Turnstile docs · PHP reCAPTCHA docs