Our account creation form is publicly accessible, and open to abuse by
spammers. The spam bots enter random email addresses and increase our
bounce rate.
We decided to add a captcha to the form to prevent this abuse. I
evaluated a few options and decided to use Cloudflare's Turnstile since
it's free and privacy-friendly. It's also easy to implement. [^1]
We add their client-side widget to our form. This widget add token input
and we use this token to verify the captcha on the server-side.
I added `cloudflare_turnstile.erb` component to add Cloudflare Turnstile
to any form easily. External Cloudflare script is loaded only when the
component is used.
There are 3 different modes for Turnstile: managed, non-interactive, and
invisible [^2]. It's configurable in the Cloudflare UI. I think we can
start with the invisible mode and see how it goes.
[^1]: https://developers.cloudflare.com/turnstile/get-started/
[^2]: https://developers.cloudflare.com/turnstile/concepts/widget/
69e7ecfd3c