The CAPTCHA Tax

Almost every signup form on the internet asks you to prove you are human by solving a puzzle. Find the buses. Read the warped text. Try again because it did not like your answer.

We stopped questioning this years ago. It is just the toll you pay to create an account. But that toll is real: seconds of friction on every form, a hard wall for users on screen readers, and measurable drop-off that teams quietly write off as the cost of stopping bots.

Puzzles feel like security because they are visibly hard. That is the trap. The difficulty is aimed at the wrong target. Modern bots solve image challenges cheaply, while real users carry the cost. The work is loud and the protection is thin.

Cloudflare Turnstile moves the challenge off the user and into the browser. It runs lightweight, privacy preserving signals in the background and issues a token. No puzzles in the common case. The server then verifies that token against Cloudflare before trusting the request.

The important part for a buyer is that the failure path is still strong. When the signals look like a bot, the request does not pass. You get the protection without taxing the human.

The demo is a normal sign-in form with the Turnstile widget mounted on it. On submit, the token is posted to a Cloudflare Pages Function that calls the official siteverify endpoint and returns the raw result.

A toggle flips between Cloudflare’s documented "always passes" and "always fails" test keys, so in an interview I can show both the invisible success and a genuine blocked-bot response on demand. A debug drawer prints the actual siteverify JSON, because an SE should always be able to show the wiring, not just the happy path.