Resolving Cloudflare Turnstile & WAF Errors
Cloudflare provides multiple protection layers including Turnstile (CAPTCHA alternative) and WAF rules. Turnstile generates JavaScript tokens for verification, while WAF blocks return 403/429 status codes. MeshPrivacy handles both Turnstile token resolution and WAF challenge resolution.
Turnstile Error Codes
| Code Range | Meaning | Retry? |
|---|---|---|
| 100*** | Initialization failed | No - reload page |
| 102*** | Network/parameter issues | Yes |
| 103*** | Browser compatibility | Yes |
| 110100 | Invalid sitekey | No - check config |
| 300*** | Bot behavior detected | No |
| 600*** | Challenge execution failed | No - automation detected |
WAF Error Codes
| Code | Meaning | Resolution |
|---|---|---|
| 403 | WAF rule triggered | Resolve challenge via API |
| 429 | Rate limit exceeded | Reduce frequency, obtain clearance |
| 530 | Site frozen/suspended | Contact site owner |
| 520 | Web server down (WAF blocking) | Retry with valid clearance |
Service Variants
Cloudflare Turnstile token resolution. Returns a valid token that can be submitted with forms or API requests. Token TTL: approximately 5 minutes.
Cloudflare WAF challenge resolution. Solves JavaScript challenges and returns cf_clearance cookie for subsequent requests.
Integration Example
// Submit Cloudflare Turnstile task to MeshPrivacy
const response = await fetch('https://api.meshprivacy.com/v1/tasks/submit', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-API-Key': API_KEY
},
body: JSON.stringify({
service: 'turnstile',
url: 'https://target-site.com/',
sitekey: '0x4AAAAAA...', // From page source data-sitekey attribute
proxy_config: 'http://user:pass@ip:port', // Your proxy
user_agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...'
})
});
const { task_id } = await response.json();
// Poll for result
const result = await fetch(`https://api.meshprivacy.com/v1/tasks/result/${task_id}`, {
headers: { 'X-API-Key': API_KEY }
});
const { token } = await result.json();
// Submit token with your form as cf-turnstile-responseFAQ
The sitekey is in the page HTML, typically in a data-sitekey attribute on the Turnstile widget div, or passed to the turnstile.render() function.
Turnstile tokens are valid for approximately 5 minutes from generation. Submit tokens promptly after receiving them from the API.
Turnstile is an explicit challenge (like CAPTCHA) that returns a token for form submission. cf_clearance is a cookie from WAF challenges that grants access to protected pages.