I am building a web app and I have a few public endpoints that I would like to secure without compromising the UX. This is all a bit ironic because I have no users and yet here I am writing this.
In any case, I hate CAPTCHAS and the only thing I hate even more are Arkose challenges on Twitter (or X if you're into that kind of pedantry). They remind me of the "considerable overlap between intelligence of smartest bears and dumbest tourists" meme and, for the sake of the Web, I wish those EAs would get a move on bombing OpenAI’s data centers.
So imagine my joy when I saw Cloudflare offering a "a free tool to replace CAPTCHAs” that “delivers frustration-free, CAPTCHA-free web experiences to website visitors”. But as my grandma always said, if something is too good to be true, it probably is (”just eat your porridge, grams, yes we’re family, no we're not trying to poison you”).
I blithely integrated Turnstile to protect my public API endpoints from robots and non-existent users. I did a bit of research on Turnstile and it seems to rely on the few advantages that humans will continue to have over bots, namely the ability to open dev tools and having surplus RAM to do pointless computations.
However, trouble struck when I got a friend to try out my application. As he is not a programmer who lives in his mum’s basement and actually has a social life, he tried to use it on-the-go and he told me that he could not to get pass the loading screen (gated by Turnstile). It turns out that Turnstile thinks you’re a bot if you’re on iOS + mobile data. No, he doesn’t use VPN or Tor or Firefox or Arch Linux.
I successfully replicated the issue. It turns out I missed it earlier because I tested with iOS + the basement WiFi. Sometimes, iOS would prompt me to “reduce protection”, which would convince Turnstile that I am not a bot. I wonder iOS privacy protections might be at issue here.
A light bulb went off in my head: what if I turned on Cloudflare WARP on my phone? Surprise, surprise, Turnstile no longer thinks I am a bot. Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth: Cloudflare Turnstile is a conspiracy by Cloudflare to centralize the Web.
All of which is a roundabout way of asking: Should I use Cloudflare Turnstile to secure my application’s public endpoints? Are there any other user-friendly alternatives that the HN community might recommend? Why am I concerned with bots flooding my application when I have no users?
TLDR:
- Cloudflare Turnstile doesn’t seem to work well for normies (iOS + mobile data). Occasionally, Safari gives you the option to reduce protection, which would make it work. Root cause unclear.
- However, if I connect to Cloudflare WARP, surprise surprise, I can get pass Turnstile on iOS + mobile Internet. Cloudflare Turnstile is most certainly a conspiracy by Cloudflare to centralize the Web.
- Are there any alternatives to Cloudflare Turnstile? Or am I committing the cardinal sin of premature optimization?
- Might anyone be interested in becoming beta testers for my application, an email screening service for Gmail? If so, head over to: https://app.inboxhero.org/
Edit: it turns out the HN login endpoint blocks Cloudflare WARP’s IP by default, I guess this is the state of the Web in 2023rd year of our Lord
Either way, you're probably optimizing too prematurely for sure. Before you have any users, the right way to do this is to a) either setup Turnstile and don't worry until someone complains, or b) set up a 60 requests per minute global rate limit (just in case). Once you see people are abusing it, you can try to find out what it takes to fix that.