Cloudflare Turnstile · Angular SSR · FastAPI

Cloudflare Turnstile with Angular and FastAPI to protect a bot interaction

Turnstile is useful when a public Angular page must send a message, launch a bot workflow or call a sensitive backend action without opening the door to automated abuse.

The safe architecture is simple: Angular renders the widget and sends the temporary token; FastAPI validates that token with Cloudflare before the bot does anything.

Security rule

The secret key never belongs in Angular, Git, screenshots or tutorials. If a secret has been shared, rotate it in Cloudflare and deploy the new value only as a backend environment variable.

1. Architecture

The browser is not trusted. It can only obtain a short-lived Turnstile token. FastAPI verifies that token server-side, applies rate limits and then runs the bot action.

1

Angular frontend

Public site key used in the Angular example: 0x4AAAAAADL_SO30Hjut98cd

2

FastAPI backend

Receives turnstile_token, validates length, rate limits and the internal header.

3

Cloudflare Siteverify

Confirms that the token is authentic, not expired and not reused.

4

Protected bot action

Runs only after FastAPI receives a success response.

2. Angular integration

In Angular SSR, load the Turnstile script only in the browser. The widget returns a token through a callback; that token is submitted together with the form payload.

environment

TurnstileLoaderService

Form component

HTML template

3. FastAPI validation

The backend posts the token to Cloudflare Siteverify. A success response is required before the protected bot endpoint returns useful data.

Environment variables

4. Nginx and backend perimeter

If the API is private, Angular should call the public website path and Nginx should inject the internal API key on the server side.

API privada con Nginx y FastAPI. This pattern matches the private API guide with Nginx and FastAPI: Turnstile filters bot abuse, while the internal header prevents third parties from calling the backend directly.

5. Production checklist

1. Rotate secrets

If the secret key has been shared in a chat, ticket or commit, create a new one in Cloudflare and deploy it as TURNSTILE_SECRET_KEY.

2. Always validate server-side

The browser widget is not enough. FastAPI must call Siteverify before the bot runs.

3. Limit abuse

Keep slowapi, limit message length, avoid token logging and return generic errors.

4. Check the hostname

Configure TURNSTILE_EXPECTED_HOSTNAME to accept tokens from the intended domain.

5. Separate responsibilities

Turnstile does not replace login, permissions or the internal proxy key when the API should remain private.

6. Test the full flow

Verify valid tokens, expired tokens, missing tokens, rate limits and direct calls without the internal header.

Conclusion

Turnstile is not magic authentication, but it is a strong friction layer for forms and bot triggers when combined with server-side verification, rate limits and a private API perimeter.

After publishing, request indexing for both language versions because the page has a unique title, canonical, description, H1 and substantial SSR content.

Related readings

These articles complete the security and Angular SSR context:

Proteger API Angular con Nginx y FastAPIhCaptcha en Angular UniversalGoogle reCAPTCHA en AngularAPI cripto con FastAPI
2025 © 1938.com.es 1938web@gmail.com

Privacy Policy