Overview
When you monitor security testing with HackGATE and use Cloudflare Turnstile for CAPTCHA, Turnstile must be explicitly configured to allow requests from the HackGATE hostnames (e.g. yourtenant.hackgate.net). If those hostnames are not added to Turnstile’s configuration, the CAPTCHA widget may not load and validation will fail.
This article explains why this happens, how to detect it, and how to fix it.
Why CAPTCHA fails with Turnstile behind HackGATE
- Turnstile widgets are restricted to a predefined list of hostnames/domains. Only those hostnames will be allowed to load the CAPTCHA widget.
- If you access your application through a HackGATE-managed domain (e.g. *.hackgate.net) which isn’t listed in Turnstile’s allowed hostnames, the CAPTCHA will silently be blocked or simply will not render.
- This does not mean Turnstile is broken — it’s working as intended by restricting usage to configured hostnames.
Symptoms of the issue
You may observe one or more of the following:
- No CAPTCHA widget appears on the page
- CAPTCHA widget appears but shows errors or fails silently
- Form submission fails or returns a message like “Captcha verification failed”
- CAPTCHA works on a “normal” deployment domain, but fails when served via HackGATE
How to verify whether the domain is configured correctly
- Log in to your Cloudflare account.
- Navigate to the Turnstile section, and open the relevant widget configuration.
- Under Hostname Management (or similar), check whether your HackGATE domain(s) (for example yourtenant.hackgate.net, *.hackgate.net, etc.) are listed.
- If they are missing — that’s likely the cause of your issues.
How to enable Turnstile for HackGATE domains (Fix)
1 Open Cloudflare dashboard → Turnstile → Select the widget used for your site.
2 Go to Hostname Management (or “Allowed Domains / Hostnames”).
3 Add your HackGATE domain(s), e.g.: yourtenant.hackgate.net, *.hackgate.net. Ensure they are valid FQDNs.
4 Save / apply changes. Confirm your widget now includes those hostnames.
5 Revisit the page served through HackGATE and refresh. The CAPTCHA widget should now load and work.
💡 Tip: For a setup with multiple environments (dev / staging / prod), you might want separate Turnstile widgets or allow multiple hostnames — but each must be explicitly configured.
Official Reference
- Cloudflare Turnstile documentation: how to add hostnames / domain restrictions.
- WPForms (as an example integration) — shows the “Add Hostnames” step visually.
Summary & Why This Matters for HackGATE Users
Because HackGATE serves your application through a proxy domain (e.g. *.hackgate.net), you must treat that domain as a “real” production domain when configuring CAPTCHA — whether using Cloudflare Turnstile or Google reCAPTCHA.
Failing to explicitly add the proxy domain to your CAPTCHA provider’s configuration will result in broken or missing CAPTCHA on forms protected by HackGATE — even though everything works fine under your original domain.
Disclaimer & What CAPTCHA Configuration Does Not Do
- Adding the HackGATE domain to CAPTCHA config does not disable CAPTCHA. It merely permits the challenge to be rendered and validated under that hostname.
- CAPTCHA remains active and effective; you are not reducing security by whitelisting the domain.
- Always keep secret keys private (server side), and verify tokens server-side. This applies equally for Turnstile and reCAPTCHA.
