I’m currently using Cookiebot for cookie compliance on my Webflow site, and it’s flagging a cookie named cf.turnstile.u, which is set by challenges.cloudflare.com.
According to Cookiebot, this cookie is loading before end-user consent is given, which could be a compliance issue under GDPR/ePrivacy rules unless it’s considered strictly necessary.
Could you confirm:
Is the cf.turnstile.u cookie essential for security or bot protection?
Is it possible to prevent this cookie from loading until after the user gives consent via my cookie banner?
If not, can you confirm Webflow’s legal basis for loading this cookie pre-consent?
You’d need to open a ticket with Webflow support to determine Webflow’s official stance.
My assumption is;
It’s essential for Cloudflare Turnstile ( forms bot protection ) to work, and you need that to work even if the user doesn’t click cookie consent. Otherwise it’s absolutely useless. Bots won’t click cookie consent.
It’s considered an essential cookie in the same way a login auth token cookie is essential. It is not used for marketing, analytics, PII capture, etc.
If the cookie is still a problem for you, you can just disable bot protection in your site dashboard settings, which will remove bot protection from your forms but also eliminate this cookie.
If you want to know more, research Cloudflare Turnstile docs and Cloudflare’s forums, they’ll have the most info regarding cookie consent.
That cookie is tied to Cloudflare Turnstile and counts as strictly necessary since it’s required for form bot protection. Cookiebot will flag it, but you can’t delay it until consent without breaking forms. Only workaround is disabling bot protection in site settings if compliance takes priority.
Actually, you have control to mark it as ‘necessary’ cookie in Cookiebot so it will no longer be flagged in reports. Interesting: this cookie was not present before when I went through all the cookies to make such determinations. Is it a relatively ‘new’ addition in Webflow?
The cf.turnstile.u cookie is used for Cloudflare bot protection and security, so it’s generally considered essential. Because of this, it usually loads before consent. For full GDPR compliance, you can manage other non-essential cookies with your banner, or use tools like Ketch to handle consent and data management more robustly.