Validation surfaces for scraper-cf. Each link sits behind a different CF challenge type.
Standalone CF Turnstile widget; auto-submits to /api/protected on solve. Solver path: AntiTurnstileTaskProxyless.
GET /turnstile
Google reCAPTCHA Enterprise widget (action LOGIN). Server gates on Enterprise assessment score ≥ 0.5 when an API key is configured; falls back to token-only otherwise.
GET /recaptcha
Same widget shape as /recaptcha but a stricter sitekey configured on Google's side and a higher pass threshold (score ≥ 0.7).
GET /recaptcha-hard
Gated by a WAF Managed Challenge rule — CF picks interactive or invisible based on signals before the worker sees the request.
GET /cf-managed
Gated by a WAF Interactive Challenge rule — always renders the visible CF interstitial.
GET /cf-interactive
Outer page embeds an iframe pointing at SAFE_INNER_ORIGIN/safe (different eTLD+1). Mirrors Stripe-SAFE's single cross-site frame; verifies our walker reaches into one OOPIF.
GET /safe-iframe/single
Outer → SAFE_MIDDLE_ORIGIN/m-outer → SAFE_INNER_ORIGIN/safe. Three distinct registrable domains, two cross-site boundaries, two separate OOPIF processes.
GET /safe-iframe/nested
Single cross-site iframe with sandbox="allow-scripts allow-same-origin". Confirms the walker handles iframes that are both cross-site AND sandboxed.
GET /safe-iframe/sandboxed
GET /api/health is unprotected and returns { ok: true }.