Goodbye reCAPTCHA, hello Turnstile
Let’s switch to a better, free alternative with a fair price
I was relatively happy with Google reCATPCHA. It stopped bots on some apps, for free, and their assessment score was great to allow some actions without disrupting the navigation flow. Users helped identifying images using their service, websites got a protection for bots, everyone was happy.
Then, Google started milking the companies who used reCAPTCHA.
I found out about this thanks to an email that came from Google. They announced they would start to charge for using reCAPTCHA through their Google Cloud Platform. Their “free” tier would only support 10,000 assessments a month.
You shouldn’t trust that 10,000 free assessments will be enough. If you have a very small site that number won’t put you any problem, but I can see a problem when being recurrent. Imagine being limited to 10,000 user authentications a month, post comments or even downloads.
I tried to find some non-breaking alternatives with similar quality. The first was hCatpcha, which seems similar but with worse pricing than Google. The second alternative was creating your own CAPTCHA image, with all the pitfalls of not being so effective with bots that have decent OCR capabilities.
Eventually I landed with Cloudflare Turnstile, probably the best one of all I could find.
Cloudflare Turnstile to the rescue
Cloud Turnstile is basically Google reCAPTCHA, but without the part of checking all bikes. Instead, it checks for the device and user behavior to assess if interaction is required or not. You may have found this box on a lot of sites.
Apart from that, it works the same as the classic Google reCAPTCHA box (called “Version 2”) without the abrasive interaction.
Because I needed to migrate quickly, I created a package for Laravel that allows any application to implement Cloudflare Turnstile — especially if your application already uses Google reCAPTCHA and you want to use something similar.
The idea of this package is easy: allow the developer to put the widget anywhere, and to verify the challenge anyway he wants through the included Form Request, a middleware, a validation rule, or even manually.
<form method="POST" action="{{ route('comment.store') }}">
@csrf
<textarea name="body" />
<x-turnstile::widget />
<button type="submit">
Comment
</button>
</form>Personally, since I use Cloudflare Turnstile for only a handful of routes, I like to use the TurnstileRequest class that keeps my controllers really simple. It’s also a great class to extend from when creating custom Form Requests, like for storing comments.
use App\Models\Comment;
use Illuminate\Support\Facades\Route;
use Laragear\Turnstile\Http\Requests\TurnstileRequest;
Route::post('comment', function (TurnstileRequest $request) {
$validated = $request->validate([
'body' => 'required|string'
]);
return Comment::create($validated);
});Something that can be considered either a blessing or a curse is that Cloudflare Turnstile is not Google reCAPTCHA. While the interaction is way better, it doesn’t seem like an infalible solution for bots and you can see in their dashboard that some bots may get through.
On the other hand, Google offer is very complete, and the Version 3 is a great opaque solution that returns a score for a request. That score can be used in your application to not disrupt the interaction flow and make decisions based on the odds the user is a human or a robot. If you depend on the latter, there is not much alternative to opening the wallet.
If an app requires these types of assessments, then its business has the resources to pay for it.
There is a point on using hCatpcha or reCAPTCHA, though, and its their features. Both offer that abrasive interaction Captchas are known for, and that are very effective at stopping bots before they do something.
I can see applications wanting to keep these services. Some applications are the backbone of their business. Protection from bots and AI crawlers are enough for investing on it. If an app requires these types of assessments, then its business has the resources to pay for it.
Meanwhile, I have officially abandoned my Laragear reCAPTCHA library for Laravel. No more updates, no more fixes. Those who are looking to migrate their application to Laravel 12 or later, will want use Laragear Turnstile.
The rest can patiently wait until Google updates their official PHP client with the influx of money they will get. Maybe they’ll use AI for that, who knows.
