Cloudflare Turnstile now forces WebGL fingerprinting

As of May 31 2026 Cloudflare’s Turnstile service requires WebGL fingerprinting for every verification request, according to the company’s release notes and reporting by HypnoticOcelot on hn‑front. [HypnoticOcelot on hn-front]

What shipped

Turnstile now injects a hidden canvas that calls WebGL APIs. The browser must expose the GPU vendor, renderer, unmasked renderer string, and shader‑precision formats. This information is bundled with existing signals—mouse movement, timing, and device characteristics—and sent to Cloudflare’s verification endpoint to compute a risk score. [HypnoticOcelot on hn-front]

Why it matters

The mandatory WebGL data removes a common privacy mitigation: disabling WebGL. Users who rely on privacy extensions that block canvas now lose that protection, and their devices become uniquely identifiable across any site that uses Turnstile. Engineers building privacy‑focused web apps must either accept the extra fingerprint or implement a fallback that disables Turnstile, which can break login flows. The expanded inventory of device fingerprints also raises concerns among privacy advocates about long‑term tracking. [HypnoticOcelot on hn-front]

Immediate impact

Sites that already integrated Turnstile report an average verification latency increase of roughly 50 ms due to the extra WebGL handshake. Developers have added feature‑detection code to warn users when their browsers block WebGL, explaining that the challenge cannot be completed. Cloudflare’s documentation states the WebGL requirement will be enforced on all browsers that support the API, with no opt‑out. [HypnoticOcelot on hn-front]

Poll: What is your stance on WebGL fingerprinting in Cloudflare’s Turnstile?

• Support fingerprinting for security
• Oppose fingerprinting due to privacy concerns
• Neutral — depends on implementation