Protect the widget with Turnstile
Cloudflare Turnstile adds bot protection to widget chat and feedback requests.
Allowed domains protect where the widget can load. Turnstile adds a per-request verification token, which helps block scripted requests against a known project ID.
When to enable it
Turnstile is optional. Enable it when:
- Chat usage spikes without matching pageviews
- You see unexplained widget traffic
- You are close to a monthly message cap
- Your site already requires stronger bot protection on interactive forms
Low-traffic projects can start without Turnstile and enable it later.
Setup
- Open Cloudflare Turnstile .
- Add a site and keep widget mode on
Managed. - Add every hostname where the Knoku widget runs.
- Copy the site key and secret key.
- In Knoku, open Project > Settings > Security.
- Paste both keys and enable Turnstile.
Match Cloudflare hostnames to the values on Domains. Apex domains and subdomains are different hosts.
The Knoku widget picks up the site key from project config on the next page load. No embed-code change is required.
Verify
Open the widget on an allowed site and send a message.
In the browser Network tab, the request to /api/v1/chat should include a cf-turnstile-response header.
To confirm enforcement, send the same request without that header. The API should return:
{ "error": "turnstile_failed" }Strict CSP sites
If your site sends a Content-Security-Policy header, allow Cloudflare Turnstile:
script-src https://challenges.cloudflare.com
frame-src https://challenges.cloudflare.com
connect-src https://challenges.cloudflare.comWithout these directives, the Turnstile script cannot load and widget requests fail.
Rotate or disable
Paste a new secret key under Project > Settings > Security to rotate. Existing visitors do not need to reload because Turnstile tokens are short-lived.
Disable Turnstile from the same page if you lose access to Cloudflare or need to return to domain-only protection.
What is sent to Cloudflare
When Turnstile is enabled, each widget chat and feedback request triggers a server-side verification call to Cloudflare’s siteverify endpoint.
The verification request includes your secret key, the visitor’s one-time token, and the visitor IP. Knoku does not persist the Cloudflare score.
Reference Cloudflare in your privacy policy or subprocessors list when your compliance process requires it.