Pre-clearance support
Pre-clearance in Turnstile allows websites to streamline user experiences by using clearance cookies. These cookies enable visitors to bypass WAF challenges downstream, based on the security clearance level set by the customer. This can be particularly useful for trusted visitors, enhancing usability while maintaining security.
You can integrate Cloudflare challenges by allowing Turnstile to issue a pre-clearance cookie. The pre-clearance level is set upon widget creation or widget modification using the Turnstile API's clearance_level. Possible values for the configuration are:
no_clearancejschallengemanagedinteractive
All widgets are set to no_clearance by default.
For Enterprise customers eligible to toggle off domain checks, Cloudflare recommends issuing pre-clearance cookies on widgets where at least one domain is specified.
Refer to the blog post ↗ for more details on how pre-clearance works with WAF.
- Interactive (High): Allows a user with a clearance cookie to not be challenged by Interactive, Managed Challenge, or JavaScript Challenge Firewall Rules
- Managed (Medium): Allows a user with a clearance cookie to not be challenged by Managed Challenge or JavaScript Challenge Firewall Rules
- Non-interactive (Low): Allows a user with a clearance cookie to not be challenged by JavaScript Challenge Firewall Rules
Clearance cookies generated by the Turnstile widget will be valid for the time specified by the zone-level Challenge Passage value. To configure the Challenge Passage setting, refer to the WAF documentation.
To set up pre-clearance cookies, refer to Enable pre-clearance cookies.