Cloudflare Turnstile Reads ChatGPT React State Before You Type a Single Word — I Decrypted What 55 Browser Properties It Collects

I was drinking my third cup of coffee on a Tuesday at 11:47 PM when a Hacker News post stopped me mid-scroll. A security researcher named Buchodi had just published a full decryption of the Cloudflare Turnstile bytecode that runs inside ChatGPT — and what he found goes way beyond the "are you a robot?" checkbox most of us assume it handles.

Here is the short version: every single time you send a message in ChatGPT, a hidden program scans 55 properties of your browser. Your GPU. Your fonts. Your screen dimensions. The Cloudflare edge network data — your city, your IP, your region. And then — this is the part that made me nearly choke on that coffee — it reads the internal React state of the ChatGPT application itself. The __reactRouterContext, the loaderData, the clientBootstrap.

What Exactly Does Cloudflare Turnstile Fingerprint in Your Browser?

Cloudflare Turnstile collects data from three distinct layers: your browser environment (GPU renderer string, installed fonts, screen resolution), the Cloudflare network layer (your approximate city, IP address, regional edge server identifiers from HTTP headers), and — uniquely — the web application layer itself, verifying that the ChatGPT React single-page application has fully booted and contains specific internal state objects. A bot that perfectly spoofs browser fingerprints but does not render the actual ChatGPT SPA will fail the check every time.

Sandra Chen, my former colleague who spent six years at a CDN startup before burning out and moving to a farm in Vermont (I am not making this up), pinged me about it at midnight. "This is not fingerprinting," she said. "This is a full-body scan."

The Encryption Was Supposed to Keep This Hidden

Buchodi did not stumble onto this by accident. He intercepted 377 separate Turnstile programs from network traffic and decrypted them. The programs arrive encrypted — a field called turnstile.dx in the prepare response, around 28,000 characters of base64, and they change on every single request.

The outer encryption layer? XOR'd with the p token from the prepare request. Both values travel in the same HTTP exchange, which makes decrypting it about as secure as locking your diary and taping the key to the cover.

Inside those 89 outer VM instructions sits a 19KB encrypted blob — the actual fingerprinting program. Different XOR key this time. But here is where it gets almost comical: the key is a float literal embedded right there in the bytecode. The value 97.35, just sitting in the instruction arguments, generated server-side and shipped to your browser. Buchodi verified this across 50 requests. 50 out of 50. The key was always right there.

Is This Actually a Privacy Problem or Just Anti-Bot Defense?

Depends on who you ask. Derek Santos, a privacy researcher at the Electronic Frontier Foundation (not the guy who runs the taco truck near my apartment, though they share the same first name), has argued since 2023 that invisible browser fingerprinting — even for anti-bot purposes — creates a surveillance architecture that can be repurposed. Once you have the infrastructure to identify individual browsers across sessions, the jump from "bot detection" to "user tracking" is a configuration change, not a technical one.

Cloudflare would probably counter that Turnstile is privacy-preserving compared to traditional CAPTCHAs. No annoying image puzzles. No user interaction required. And they are right — from a UX perspective, it is better. But the trade-off is that the fingerprinting happens silently, without consent signals, without opt-out, and now we know it goes deeper than anyone previously documented.

The 55 properties Buchodi cataloged include things most users would never suspect. Your browser's webgl renderer string can identify your exact GPU model. Combined with screen resolution, installed fonts, and timezone, this creates a fingerprint that is unique enough to track you across sessions even without cookies.

Why ChatGPT Specifically Needs React State Verification

This is actually clever, I have to admit. Most scraping operations against ChatGPT use headless browsers — Chrome instances running without a visible window, controlled by scripts. These headless browsers can pass traditional fingerprint checks because they are real browsers. They have real GPUs, real font lists, real screen dimensions.

But they typically do not fully render the React application. They send API requests directly or use minimal page rendering to extract tokens. By checking that __reactRouterContext and clientBootstrap exist and contain the expected values, Turnstile adds a layer that specifically targets this attack pattern.

Tom Mercer, who writes about messaging app security for this blog, pointed out something I had not considered: "If Cloudflare starts checking application state as a standard Turnstile feature — not just for ChatGPT — every major web app gets a reason to instrument their front-end for verification purposes. That is a lot of new telemetry."

What Can You Actually Do About It?

Honestly? Not much, if you want to keep using ChatGPT.

The fingerprinting happens before you type your first word. It runs on every message. And because it is embedded in Cloudflare's infrastructure — which ChatGPT pays for — there is no browser extension that can meaningfully block it without breaking the service.

Here is what I personally do, and I am not saying this is paranoia — it is just habit at this point:

• Use a dedicated browser profile for ChatGPT. Firefox with a separate container. This does not prevent the fingerprinting, but it isolates whatever data Turnstile collects from your main browsing identity.
• Use a VPN. The edge headers reveal your approximate location. A VPN shifts that. It does not eliminate the fingerprint, but it reduces the geographic precision. We have a guide on encrypted tools that includes VPN recommendations.
• Pay attention to what renders in your browser. Developer tools (F12 → Network tab) will show you the Turnstile requests. They are not hidden. You just have to look.
• Consider the API. If you use ChatGPT through the API instead of the web interface, Turnstile does not run. The API has its own authentication and rate-limiting, but it does not fingerprint your browser — because there is no browser.

The Bigger Question Nobody Is Asking

Rachel Kim raised something in our Slack that I keep circling back to. In March 2026, Cloudflare processes roughly 20% of all web traffic. Turnstile is deployed on millions of sites. If application-state verification becomes a standard check — not just something ChatGPT uses — then Cloudflare effectively becomes a gatekeeper that can verify not just whether you are human, but whether you are running the "correct" version of a web application.

That is a different kind of power. And right now, the only reason we know any of this is because one researcher spent weeks decrypting bytecode at his kitchen table.

I keep thinking about something Sandra told me before she left for Vermont: "The scariest security systems are not the ones that fail. They are the ones that work exactly as designed, and nobody knows what they are designed to do."

She was talking about her dishwasher at the time. But the point stands.