diff --git a/brightIDfaucet/settings.py b/brightIDfaucet/settings.py
index 79dbf66..bafc6cb 100644
--- a/brightIDfaucet/settings.py
+++ b/brightIDfaucet/settings.py
@@ -7,6 +7,8 @@
 from dotenv import load_dotenv
 from sentry_sdk.integrations.django import DjangoIntegration
 
+from corsheaders.defaults import default_headers
+
 from faucet.faucet_manager.bright_id_interface import BrightIDInterface
 
 load_dotenv()
@@ -244,6 +246,15 @@ def before_send(event, hint):
 else:
     CORS_ALLOW_ALL_ORIGINS = True
 
+
+# Add Turnstile response headers for CORS
+# These headers are required for Cloudflare and HCaptcha Turnstile anti-bot service
+
+CORS_ALLOW_HEADERS = list(default_headers) + [
+    'cf-turnstile-response',
+    'hc-turnstile-response',
+]
+
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/4.0/howto/static-files/
 
diff --git a/core/constraints/captcha.py b/core/constraints/captcha.py
index 6b83d38..7c29e3a 100644
--- a/core/constraints/captcha.py
+++ b/core/constraints/captcha.py
@@ -31,7 +31,7 @@ def is_observed(self, *args, **kwargs) -> bool:
             context["request"]
         )
 
-        turnstile_token = request_context.data.get("cf-turnstile-response")
+        turnstile_token = request_context.headers.get("cf-turnstile-response")
 
         return request_context.ip is not None and turnstile_token is not None and cloudflare.is_verified(
             turnstile_token, request_context.ip
@@ -60,7 +60,7 @@ def is_observed(self, *args, **kwargs) -> bool:
             context["request"]
         )
 
-        turnstile_token = request_context.data.get("hc-turnstile-response") or request_context.data.get("cf-turnstile-response")
+        turnstile_token = request_context.headers.get("hc-turnstile-response")
 
         return request_context.ip is not None and turnstile_token is not None and hcaptcha.is_verified(
             turnstile_token, request_context.ip