diff --git a/.env.example b/.env.example
index a049791..e9ed2ac 100644
--- a/.env.example
+++ b/.env.example
@@ -22,4 +22,8 @@ OPENAI_BASE_URL="https://api.openai.com/v1"
 
 # --- hCaptcha configuration ---
 HCAPTCHA_SECRET_KEY=your-hcaptcha-secret-key-here
-HCAPTCHA_SITE_KEY=your-hcaptcha-site-key-here
\ No newline at end of file
+HCAPTCHA_SITE_KEY=your-hcaptcha-site-key-here
+
+# --- Cloudflare configuration ---
+CLOUDFLARE_TURNSTILE_SITE_KEY=your-cloudflare-turnstile-site-key-here
+CLOUDFLARE_TURNSTILE_SECRET_KEY=your-cloudflare-turnstile-secret-key-here
\ No newline at end of file
diff --git a/.env.schema b/.env.schema
index 142f2b3..8a871a9 100644
--- a/.env.schema
+++ b/.env.schema
@@ -22,4 +22,8 @@ OPENAI_BASE_URL=
 
 # --- hCaptcha configuration ---
 HCAPTCHA_SECRET_KEY=
-HCAPTCHA_SITE_KEY=
\ No newline at end of file
+HCAPTCHA_SITE_KEY=
+
+# --- Cloudflare configuration ---
+CLOUDFLARE_TURNSTILE_SITE_KEY=
+CLOUDFLARE_TURNSTILE_SECRET_KEY=
\ No newline at end of file
diff --git a/apps/api/.env.example b/apps/api/.env.example
index f88a073..dc2f97c 100644
--- a/apps/api/.env.example
+++ b/apps/api/.env.example
@@ -16,4 +16,7 @@ OPENAI_BASE_URL="https://api.openai.com/v1"
 
 # --- hCaptcha configuration ---
 HCAPTCHA_SECRET_KEY=your-hcaptcha-secret-key-here
-HCAPTCHA_SITE_KEY=your-hcaptcha-site-key-here
\ No newline at end of file
+HCAPTCHA_SITE_KEY=your-hcaptcha-site-key-here
+
+# --- Cloudflare configuration ---
+CLOUDFLARE_TURNSTILE_SECRET_KEY=your-cloudflare-turnstile-secret-key-here
\ No newline at end of file
diff --git a/apps/api/.env.schema b/apps/api/.env.schema
index 944f21d..0329004 100644
--- a/apps/api/.env.schema
+++ b/apps/api/.env.schema
@@ -16,4 +16,7 @@ OPENAI_BASE_URL=
 
 # --- hCaptcha configuration ---
 HCAPTCHA_SECRET_KEY=
-HCAPTCHA_SITE_KEY=
\ No newline at end of file
+HCAPTCHA_SITE_KEY=
+
+# --- Cloudflare configuration ---
+CLOUDFLARE_TURNSTILE_SECRET_KEY=
\ No newline at end of file
diff --git a/apps/api/middleware/helmet.js b/apps/api/middleware/helmet.js
index 73eba2d..20f407e 100644
--- a/apps/api/middleware/helmet.js
+++ b/apps/api/middleware/helmet.js
@@ -13,10 +13,12 @@ const helmetMiddleware = helmet({
 
       'upgrade-insecure-requests': isDevelopment ? null : [],
       'frame-ancestors': ["'self'", ...CORS_TRUSTED_HOSTS],
-      'script-src': ["'self'", "'unsafe-inline'", 'https://static.cloudflareinsights.com', 'https://js.hcaptcha.com', 'https://newassets.hcaptcha.com', ...CORS_TRUSTED_CDN_HOSTS],
+      'frame-src': ["'self'", 'https://newassets.hcaptcha.com', 'https://js.hcaptcha.com', 'https://challenges.cloudflare.com', ...CORS_TRUSTED_HOSTS],
+      'script-src': ["'self'", "'unsafe-inline'", 'https://static.cloudflareinsights.com', 'https://js.hcaptcha.com', 'https://newassets.hcaptcha.com', 'https://challenges.cloudflare.com', ...CORS_TRUSTED_CDN_HOSTS],
       'style-src': ["'self'", "'unsafe-inline'", 'https://newassets.hcaptcha.com', ...CORS_TRUSTED_CDN_HOSTS],
       'img-src': ["'self'", 'data:', 'https://contrib.rocks', ...CORS_TRUSTED_CDN_HOSTS],
-      'font-src': ["'self'", ...CORS_TRUSTED_CDN_HOSTS]
+      'font-src': ["'self'", ...CORS_TRUSTED_CDN_HOSTS],
+      'connect-src': ["'self'", 'https://hcaptcha.com', 'https://*.hcaptcha.com', 'https://challenges.cloudflare.com']
     }
   },
   frameguard: false,
diff --git a/apps/api/routes/api/generate-docx.js b/apps/api/routes/api/generate-docx.js
index f82eaa6..e6245a9 100644
--- a/apps/api/routes/api/generate-docx.js
+++ b/apps/api/routes/api/generate-docx.js
@@ -10,7 +10,7 @@ export const route = new AppRoute('/generate-docx', 'post', async (req, res) =>
   const body = req.body
 
   try {
-    const result = await handleGenerateDocx(body)
+    const result = await handleGenerateDocx(body, req)
 
     if (result.status === 200) {
       const docxBuffer = result.data
diff --git a/apps/web/.env.example b/apps/web/.env.example
index a049791..e9ed2ac 100644
--- a/apps/web/.env.example
+++ b/apps/web/.env.example
@@ -22,4 +22,8 @@ OPENAI_BASE_URL="https://api.openai.com/v1"
 
 # --- hCaptcha configuration ---
 HCAPTCHA_SECRET_KEY=your-hcaptcha-secret-key-here
-HCAPTCHA_SITE_KEY=your-hcaptcha-site-key-here
\ No newline at end of file
+HCAPTCHA_SITE_KEY=your-hcaptcha-site-key-here
+
+# --- Cloudflare configuration ---
+CLOUDFLARE_TURNSTILE_SITE_KEY=your-cloudflare-turnstile-site-key-here
+CLOUDFLARE_TURNSTILE_SECRET_KEY=your-cloudflare-turnstile-secret-key-here
\ No newline at end of file
diff --git a/apps/web/.env.schema b/apps/web/.env.schema
index 142f2b3..8a871a9 100644
--- a/apps/web/.env.schema
+++ b/apps/web/.env.schema
@@ -22,4 +22,8 @@ OPENAI_BASE_URL=
 
 # --- hCaptcha configuration ---
 HCAPTCHA_SECRET_KEY=
-HCAPTCHA_SITE_KEY=
\ No newline at end of file
+HCAPTCHA_SITE_KEY=
+
+# --- Cloudflare configuration ---
+CLOUDFLARE_TURNSTILE_SITE_KEY=
+CLOUDFLARE_TURNSTILE_SECRET_KEY=
\ No newline at end of file
diff --git a/apps/web/middleware/helmet.js b/apps/web/middleware/helmet.js
index 366234c..1f2c4a2 100644
--- a/apps/web/middleware/helmet.js
+++ b/apps/web/middleware/helmet.js
@@ -30,12 +30,12 @@ const helmetMiddleware = helmet({
 
       'upgrade-insecure-requests': isDevelopment ? null : [],
       'frame-ancestors': ["'self'", ...CORS_TRUSTED_HOSTS],
-      'frame-src': ["'self'", 'https://newassets.hcaptcha.com', 'https://js.hcaptcha.com', ...CORS_TRUSTED_HOSTS],
-      'script-src': ["'self'", "'unsafe-inline'", 'https://static.cloudflareinsights.com', 'https://js.hcaptcha.com', 'https://newassets.hcaptcha.com', ...CORS_TRUSTED_CDN_HOSTS],
+      'frame-src': ["'self'", 'https://newassets.hcaptcha.com', 'https://js.hcaptcha.com', 'https://challenges.cloudflare.com', ...CORS_TRUSTED_HOSTS],
+      'script-src': ["'self'", "'unsafe-inline'", 'https://static.cloudflareinsights.com', 'https://js.hcaptcha.com', 'https://newassets.hcaptcha.com', 'https://challenges.cloudflare.com', ...CORS_TRUSTED_CDN_HOSTS],
       'style-src': ["'self'", "'unsafe-inline'", 'https://newassets.hcaptcha.com', ...CORS_TRUSTED_CDN_HOSTS],
       'img-src': ["'self'", 'data:', 'https://contrib.rocks', ...CORS_TRUSTED_CDN_HOSTS],
       'font-src': ["'self'", ...CORS_TRUSTED_CDN_HOSTS],
-      'connect-src': ["'self'", 'https://hcaptcha.com', 'https://*.hcaptcha.com', ...(APP_API_BASE_URL ? [removePathFromUrl(APP_API_BASE_URL)] : [])]
+      'connect-src': ["'self'", 'https://hcaptcha.com', 'https://*.hcaptcha.com', 'https://challenges.cloudflare.com', ...(APP_API_BASE_URL ? [removePathFromUrl(APP_API_BASE_URL)] : [])]
     }
   },
   frameguard: false,
diff --git a/apps/web/routes/home.js b/apps/web/routes/home.js
index 01ede21..d941378 100644
--- a/apps/web/routes/home.js
+++ b/apps/web/routes/home.js
@@ -40,7 +40,8 @@ export const route = new AppRoute('/', 'get', async (req, res) => {
     APP_API_BASE_URL: process.env.APP_USE_BUILTIN_API === 'true'
       ? '/api'
       : normalizeApiBaseUrl(String(process.env.APP_API_BASE_URL)),
-    HCAPTCHA_SITE_KEY: String(process.env.HCAPTCHA_SITE_KEY || '')
+    HCAPTCHA_SITE_KEY: String(process.env.HCAPTCHA_SITE_KEY || ''),
+    CLOUDFLARE_TURNSTILE_SITE_KEY: String(process.env.CLOUDFLARE_TURNSTILE_SITE_KEY || '')
   }
 
   res.render('layout/main', { VIEW: 'home', APP_NAME, TITLE: 'Home', BASE_URL: process.env.BASE_URL || '', META })
diff --git a/docs/api-reference/packages/core/ai/openai-wrapper/classes/default.md b/docs/api-reference/packages/core/ai/openai-wrapper/classes/default.md
index 11b4c6f..05439ca 100644
--- a/docs/api-reference/packages/core/ai/openai-wrapper/classes/default.md
+++ b/docs/api-reference/packages/core/ai/openai-wrapper/classes/default.md
@@ -6,7 +6,7 @@
 
 # Class: default
 
-Defined in: [packages/core/ai/openai-wrapper.js:26](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L26)
+Defined in: [packages/core/ai/openai-wrapper.js:26](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L26)
 
 OpenAIWrapper is a simple wrapper around the OpenAI API to manage contexts and generate responses.
 
@@ -29,7 +29,7 @@ Make sure to set the OPENAI_API_KEY and OPENAI_MODEL environment variables befor
 
 > **new default**(`apiKey`, `model?`, `baseURL?`): `OpenAIWrapper`
 
-Defined in: [packages/core/ai/openai-wrapper.js:43](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L43)
+Defined in: [packages/core/ai/openai-wrapper.js:43](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L43)
 
 Creates an instance of OpenAIWrapper.
 
@@ -65,7 +65,7 @@ The base URL for the OpenAI API
 
 > **get** **baseURL**(): `string` \| `null`
 
-Defined in: [packages/core/ai/openai-wrapper.js:63](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L63)
+Defined in: [packages/core/ai/openai-wrapper.js:63](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L63)
 
 Gets the base URL for the OpenAI API.
 
@@ -81,7 +81,7 @@ Gets the base URL for the OpenAI API.
 
 > **get** **client**(): `OpenAI`
 
-Defined in: [packages/core/ai/openai-wrapper.js:88](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L88)
+Defined in: [packages/core/ai/openai-wrapper.js:88](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L88)
 
 Gets the OpenAI client instance.
 
@@ -97,7 +97,7 @@ Gets the OpenAI client instance.
 
 > **get** **context**(): [`Message`](../interfaces/Message.md)[]
 
-Defined in: [packages/core/ai/openai-wrapper.js:96](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L96)
+Defined in: [packages/core/ai/openai-wrapper.js:96](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L96)
 
 Gets the default context.
 
@@ -109,7 +109,7 @@ Gets the default context.
 
 > **set** **context**(`context`): `void`
 
-Defined in: [packages/core/ai/openai-wrapper.js:104](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L104)
+Defined in: [packages/core/ai/openai-wrapper.js:104](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L104)
 
 Sets the default context.
 
@@ -131,7 +131,7 @@ Sets the default context.
 
 > **get** **model**(): `string`
 
-Defined in: [packages/core/ai/openai-wrapper.js:71](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L71)
+Defined in: [packages/core/ai/openai-wrapper.js:71](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L71)
 
 Gets the model.
 
@@ -143,7 +143,7 @@ Gets the model.
 
 > **set** **model**(`model`): `void`
 
-Defined in: [packages/core/ai/openai-wrapper.js:79](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L79)
+Defined in: [packages/core/ai/openai-wrapper.js:79](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L79)
 
 Sets the model.
 
@@ -163,7 +163,7 @@ Sets the model.
 
 > **addContext**(...`contexts`): `void`
 
-Defined in: [packages/core/ai/openai-wrapper.js:115](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L115)
+Defined in: [packages/core/ai/openai-wrapper.js:115](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L115)
 
 Adds one or more context objects to the existing default context.
 
@@ -183,7 +183,7 @@ Adds one or more context objects to the existing default context.
 
 > **chat**(`messages`): `Promise`\<`string`\>
 
-Defined in: [packages/core/ai/openai-wrapper.js:173](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L173)
+Defined in: [packages/core/ai/openai-wrapper.js:173](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L173)
 
 Send a chat message to the OpenAI model with the loaded contexts.
 
@@ -205,7 +205,7 @@ Send a chat message to the OpenAI model with the loaded contexts.
 
 > **loadContext**(`filePath`): `void`
 
-Defined in: [packages/core/ai/openai-wrapper.js:151](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L151)
+Defined in: [packages/core/ai/openai-wrapper.js:151](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L151)
 
 Loads a context from a file and adds it to the default context as a system message.
 
@@ -225,7 +225,7 @@ Loads a context from a file and adds it to the default context as a system messa
 
 > **loadContextsFromDir**(`pathDir`): `void`
 
-Defined in: [packages/core/ai/openai-wrapper.js:126](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L126)
+Defined in: [packages/core/ai/openai-wrapper.js:126](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L126)
 
 Load context(s) from a directory.
 
diff --git a/docs/api-reference/packages/core/ai/openai-wrapper/interfaces/Message.md b/docs/api-reference/packages/core/ai/openai-wrapper/interfaces/Message.md
index 19c1011..71e9167 100644
--- a/docs/api-reference/packages/core/ai/openai-wrapper/interfaces/Message.md
+++ b/docs/api-reference/packages/core/ai/openai-wrapper/interfaces/Message.md
@@ -6,7 +6,7 @@
 
 # Interface: Message
 
-Defined in: [packages/core/ai/openai-wrapper.js:8](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L8)
+Defined in: [packages/core/ai/openai-wrapper.js:8](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L8)
 
 ## Properties
 
@@ -14,7 +14,7 @@ Defined in: [packages/core/ai/openai-wrapper.js:8](https://github.com/GTPSHAX/mo
 
 > **content**: `string`
 
-Defined in: [packages/core/ai/openai-wrapper.js:10](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L10)
+Defined in: [packages/core/ai/openai-wrapper.js:10](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L10)
 
 The content of the message
 
@@ -24,7 +24,7 @@ The content of the message
 
 > `optional` **name?**: `string`
 
-Defined in: [packages/core/ai/openai-wrapper.js:11](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L11)
+Defined in: [packages/core/ai/openai-wrapper.js:11](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L11)
 
 Optional name for tool/function messages
 
@@ -34,7 +34,7 @@ Optional name for tool/function messages
 
 > **role**: `"system"` \| `"user"` \| `"assistant"` \| `"tool"`
 
-Defined in: [packages/core/ai/openai-wrapper.js:9](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L9)
+Defined in: [packages/core/ai/openai-wrapper.js:9](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L9)
 
 The role of the message sender (excluding 'function' to avoid name requirement)
 
@@ -44,6 +44,6 @@ The role of the message sender (excluding 'function' to avoid name requirement)
 
 > `optional` **tool\_call\_id?**: `string`
 
-Defined in: [packages/core/ai/openai-wrapper.js:12](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/ai/openai-wrapper.js#L12)
+Defined in: [packages/core/ai/openai-wrapper.js:12](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/ai/openai-wrapper.js#L12)
 
 Optional tool_call_id for tool messages
diff --git a/docs/api-reference/packages/core/engine/vm-runner/classes/default.md b/docs/api-reference/packages/core/engine/vm-runner/classes/default.md
index bc190c9..0eed565 100644
--- a/docs/api-reference/packages/core/engine/vm-runner/classes/default.md
+++ b/docs/api-reference/packages/core/engine/vm-runner/classes/default.md
@@ -6,7 +6,7 @@
 
 # Class: default
 
-Defined in: [packages/core/engine/vm-runner.js:28](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/engine/vm-runner.js#L28)
+Defined in: [packages/core/engine/vm-runner.js:28](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/engine/vm-runner.js#L28)
 
 Runs JavaScript code safely inside a sandboxed VM context.
 
@@ -30,7 +30,7 @@ const runner = new VMRunner(
 
 > **new default**(`code`, `shared?`, `callback?`): `VMRunner`
 
-Defined in: [packages/core/engine/vm-runner.js:45](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/engine/vm-runner.js#L45)
+Defined in: [packages/core/engine/vm-runner.js:45](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/engine/vm-runner.js#L45)
 
 Creates a new VMRunner instance.
 
@@ -64,7 +64,7 @@ Error-first callback for results
 
 > **callback**: [`VMCallback`](../type-aliases/VMCallback.md) \| `null` = `null`
 
-Defined in: [packages/core/engine/vm-runner.js:34](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/engine/vm-runner.js#L34)
+Defined in: [packages/core/engine/vm-runner.js:34](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/engine/vm-runner.js#L34)
 
 ***
 
@@ -72,7 +72,7 @@ Defined in: [packages/core/engine/vm-runner.js:34](https://github.com/GTPSHAX/mo
 
 > **code**: `string` \| `null` = `null`
 
-Defined in: [packages/core/engine/vm-runner.js:30](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/engine/vm-runner.js#L30)
+Defined in: [packages/core/engine/vm-runner.js:30](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/engine/vm-runner.js#L30)
 
 ***
 
@@ -80,7 +80,7 @@ Defined in: [packages/core/engine/vm-runner.js:30](https://github.com/GTPSHAX/mo
 
 > **context**: [`ContextObject`](../type-aliases/ContextObject.md) \| `null` = `null`
 
-Defined in: [packages/core/engine/vm-runner.js:36](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/engine/vm-runner.js#L36)
+Defined in: [packages/core/engine/vm-runner.js:36](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/engine/vm-runner.js#L36)
 
 ***
 
@@ -88,7 +88,7 @@ Defined in: [packages/core/engine/vm-runner.js:36](https://github.com/GTPSHAX/mo
 
 > **shared**: [`ContextObject`](../type-aliases/ContextObject.md) \| `null` = `null`
 
-Defined in: [packages/core/engine/vm-runner.js:32](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/engine/vm-runner.js#L32)
+Defined in: [packages/core/engine/vm-runner.js:32](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/engine/vm-runner.js#L32)
 
 ## Methods
 
@@ -96,7 +96,7 @@ Defined in: [packages/core/engine/vm-runner.js:32](https://github.com/GTPSHAX/mo
 
 > **addContext**(...`contexts`): `void`
 
-Defined in: [packages/core/engine/vm-runner.js:144](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/engine/vm-runner.js#L144)
+Defined in: [packages/core/engine/vm-runner.js:144](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/engine/vm-runner.js#L144)
 
 Adds extra variables into the VM context before running.
 
@@ -118,7 +118,7 @@ Objects to merge into the VM context
 
 > **run**(): `void`
 
-Defined in: [packages/core/engine/vm-runner.js:76](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/engine/vm-runner.js#L76)
+Defined in: [packages/core/engine/vm-runner.js:76](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/engine/vm-runner.js#L76)
 
 Runs the code inside the VM and calls the callback with the result.
 
diff --git a/docs/api-reference/packages/core/engine/vm-runner/type-aliases/ContextObject.md b/docs/api-reference/packages/core/engine/vm-runner/type-aliases/ContextObject.md
index e8839f3..e36c9d0 100644
--- a/docs/api-reference/packages/core/engine/vm-runner/type-aliases/ContextObject.md
+++ b/docs/api-reference/packages/core/engine/vm-runner/type-aliases/ContextObject.md
@@ -8,6 +8,6 @@
 
 > **ContextObject** = `Record`\<`string`, `any`\>
 
-Defined in: [packages/core/engine/vm-runner.js:11](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/engine/vm-runner.js#L11)
+Defined in: [packages/core/engine/vm-runner.js:11](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/engine/vm-runner.js#L11)
 
 ## Type Parameters
diff --git a/docs/api-reference/packages/core/engine/vm-runner/type-aliases/VMCallback.md b/docs/api-reference/packages/core/engine/vm-runner/type-aliases/VMCallback.md
index 327a8a6..4d53c2f 100644
--- a/docs/api-reference/packages/core/engine/vm-runner/type-aliases/VMCallback.md
+++ b/docs/api-reference/packages/core/engine/vm-runner/type-aliases/VMCallback.md
@@ -8,7 +8,7 @@
 
 > **VMCallback** = (`err`, `result?`) => `void`
 
-Defined in: [packages/core/engine/vm-runner.js:10](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/core/engine/vm-runner.js#L10)
+Defined in: [packages/core/engine/vm-runner.js:10](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/core/engine/vm-runner.js#L10)
 
 ## Type Parameters
 
diff --git a/docs/api-reference/packages/handlers/handle-autofill-ai/functions/default.md b/docs/api-reference/packages/handlers/handle-autofill-ai/functions/default.md
index f74fe48..eefd826 100644
--- a/docs/api-reference/packages/handlers/handle-autofill-ai/functions/default.md
+++ b/docs/api-reference/packages/handlers/handle-autofill-ai/functions/default.md
@@ -8,7 +8,7 @@
 
 > **default**(`body`): `Promise`\<\{ `data?`: `string`; `message?`: `string`; `status`: `number`; \}\>
 
-Defined in: [packages/handlers/handle-autofill-ai.js:61](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/handlers/handle-autofill-ai.js#L61)
+Defined in: [packages/handlers/handle-autofill-ai.js:65](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/handlers/handle-autofill-ai.js#L65)
 
 Handles auto-filling AI functionality.
 
diff --git a/docs/api-reference/packages/handlers/handle-autofill-ai/interfaces/Message.md b/docs/api-reference/packages/handlers/handle-autofill-ai/interfaces/Message.md
index 3c45a68..eb426bb 100644
--- a/docs/api-reference/packages/handlers/handle-autofill-ai/interfaces/Message.md
+++ b/docs/api-reference/packages/handlers/handle-autofill-ai/interfaces/Message.md
@@ -6,7 +6,7 @@
 
 # Interface: Message
 
-Defined in: [packages/handlers/handle-autofill-ai.js:8](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/handlers/handle-autofill-ai.js#L8)
+Defined in: [packages/handlers/handle-autofill-ai.js:8](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/handlers/handle-autofill-ai.js#L8)
 
 ## Properties
 
@@ -14,7 +14,7 @@ Defined in: [packages/handlers/handle-autofill-ai.js:8](https://github.com/GTPSH
 
 > **content**: `string`
 
-Defined in: [packages/handlers/handle-autofill-ai.js:10](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/handlers/handle-autofill-ai.js#L10)
+Defined in: [packages/handlers/handle-autofill-ai.js:10](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/handlers/handle-autofill-ai.js#L10)
 
 The content of the message
 
@@ -24,7 +24,7 @@ The content of the message
 
 > `optional` **name?**: `string`
 
-Defined in: [packages/handlers/handle-autofill-ai.js:11](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/handlers/handle-autofill-ai.js#L11)
+Defined in: [packages/handlers/handle-autofill-ai.js:11](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/handlers/handle-autofill-ai.js#L11)
 
 Optional name for tool/function messages
 
@@ -34,7 +34,7 @@ Optional name for tool/function messages
 
 > **role**: `"system"` \| `"user"` \| `"assistant"` \| `"tool"`
 
-Defined in: [packages/handlers/handle-autofill-ai.js:9](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/handlers/handle-autofill-ai.js#L9)
+Defined in: [packages/handlers/handle-autofill-ai.js:9](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/handlers/handle-autofill-ai.js#L9)
 
 The role of the message sender (excluding 'function' to avoid name requirement)
 
@@ -44,6 +44,6 @@ The role of the message sender (excluding 'function' to avoid name requirement)
 
 > `optional` **tool\_call\_id?**: `string`
 
-Defined in: [packages/handlers/handle-autofill-ai.js:12](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/handlers/handle-autofill-ai.js#L12)
+Defined in: [packages/handlers/handle-autofill-ai.js:12](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/handlers/handle-autofill-ai.js#L12)
 
 Optional tool_call_id for tool messages
diff --git a/docs/api-reference/packages/handlers/handle-generate-docx/functions/default.md b/docs/api-reference/packages/handlers/handle-generate-docx/functions/default.md
index edc45c2..7e85ed3 100644
--- a/docs/api-reference/packages/handlers/handle-generate-docx/functions/default.md
+++ b/docs/api-reference/packages/handlers/handle-generate-docx/functions/default.md
@@ -6,9 +6,9 @@
 
 # Function: default()
 
-> **default**(`body`): `Promise`\<\{ `data?`: `any`; `message?`: `string`; `status`: `number`; \}\>
+> **default**(`body`, `req`): `Promise`\<\{ `data?`: `any`; `message?`: `string`; `status`: `number`; \}\>
 
-Defined in: [packages/handlers/handle-generate-docx.js:127](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/handlers/handle-generate-docx.js#L127)
+Defined in: [packages/handlers/handle-generate-docx.js:129](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/handlers/handle-generate-docx.js#L129)
 
 Handles the generation of a DOCX document based on the provided body data.
 
@@ -18,6 +18,10 @@ Handles the generation of a DOCX document based on the provided body data.
 
 `any`
 
+### req
+
+`any`
+
 ## Returns
 
 `Promise`\<\{ `data?`: `any`; `message?`: `string`; `status`: `number`; \}\>
diff --git a/docs/api-reference/packages/utils/utils/functions/convertNumToRoman.md b/docs/api-reference/packages/utils/utils/functions/convertNumToRoman.md
index 15d6d1e..0ab965e 100644
--- a/docs/api-reference/packages/utils/utils/functions/convertNumToRoman.md
+++ b/docs/api-reference/packages/utils/utils/functions/convertNumToRoman.md
@@ -8,7 +8,7 @@
 
 > **convertNumToRoman**(`num`): `string`
 
-Defined in: [packages/utils/utils.js:92](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/utils/utils.js#L92)
+Defined in: [packages/utils/utils.js:92](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/utils/utils.js#L92)
 
 Converts a number to its Roman numeral representation.
 
diff --git a/docs/api-reference/packages/utils/utils/functions/extractCodeFromMarkdownFence.md b/docs/api-reference/packages/utils/utils/functions/extractCodeFromMarkdownFence.md
index 92647ec..d47d446 100644
--- a/docs/api-reference/packages/utils/utils/functions/extractCodeFromMarkdownFence.md
+++ b/docs/api-reference/packages/utils/utils/functions/extractCodeFromMarkdownFence.md
@@ -8,7 +8,7 @@
 
 > **extractCodeFromMarkdownFence**(`code`): `string`
 
-Defined in: [packages/utils/utils.js:79](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/utils/utils.js#L79)
+Defined in: [packages/utils/utils.js:79](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/utils/utils.js#L79)
 
 Cleans code extracted from markdown code blocks.
 Removes the enclosing backticks while preserving inner content.
diff --git a/docs/api-reference/packages/utils/utils/functions/getEnvPath.md b/docs/api-reference/packages/utils/utils/functions/getEnvPath.md
index 99a0c65..66f47d6 100644
--- a/docs/api-reference/packages/utils/utils/functions/getEnvPath.md
+++ b/docs/api-reference/packages/utils/utils/functions/getEnvPath.md
@@ -8,7 +8,7 @@
 
 > **getEnvPath**(`filename?`): `string` \| `null`
 
-Defined in: [packages/utils/utils.js:167](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/utils/utils.js#L167)
+Defined in: [packages/utils/utils.js:167](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/utils/utils.js#L167)
 
 Gets the path to the .env file, checking both the current working directory and the project root. This allows for flexibility in where the .env file can be located, accommodating different deployment and development setups.
 
diff --git a/docs/api-reference/packages/utils/utils/functions/loadContexts.md b/docs/api-reference/packages/utils/utils/functions/loadContexts.md
index 8f6a852..2e1c6c2 100644
--- a/docs/api-reference/packages/utils/utils/functions/loadContexts.md
+++ b/docs/api-reference/packages/utils/utils/functions/loadContexts.md
@@ -8,7 +8,7 @@
 
 > **loadContexts**(`dir`): `object`
 
-Defined in: [packages/utils/utils.js:37](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/utils/utils.js#L37)
+Defined in: [packages/utils/utils.js:37](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/utils/utils.js#L37)
 
 This function loads all Markdown files from a specified directory, reads their content, and constructs an object where each key is derived from the filename (converted to uppercase and underscores) and the value is the file's content. This allows for easy access to the content of multiple Markdown files in a structured format.
 
diff --git a/docs/api-reference/packages/utils/utils/functions/numTokensFromString.md b/docs/api-reference/packages/utils/utils/functions/numTokensFromString.md
index a5efcb8..1c21937 100644
--- a/docs/api-reference/packages/utils/utils/functions/numTokensFromString.md
+++ b/docs/api-reference/packages/utils/utils/functions/numTokensFromString.md
@@ -8,7 +8,7 @@
 
 > **numTokensFromString**(`message`, `model?`): `number`
 
-Defined in: [packages/utils/utils.js:110](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/utils/utils.js#L110)
+Defined in: [packages/utils/utils.js:110](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/utils/utils.js#L110)
 
 Counts the number of tokens in a string using the specified model's tokenizer.
 
diff --git a/docs/api-reference/packages/utils/utils/functions/removeCodeBlocksFromMarkdown.md b/docs/api-reference/packages/utils/utils/functions/removeCodeBlocksFromMarkdown.md
index fe2f654..9759268 100644
--- a/docs/api-reference/packages/utils/utils/functions/removeCodeBlocksFromMarkdown.md
+++ b/docs/api-reference/packages/utils/utils/functions/removeCodeBlocksFromMarkdown.md
@@ -8,7 +8,7 @@
 
 > **removeCodeBlocksFromMarkdown**(`markdown`): `string`
 
-Defined in: [packages/utils/utils.js:63](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/utils/utils.js#L63)
+Defined in: [packages/utils/utils.js:63](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/utils/utils.js#L63)
 
 Removes markdown code blocks and inline code from a markdown string.
 Note: This removes MARKDOWN code blocks (e.g., from markdown with embedded code),
diff --git a/docs/api-reference/packages/utils/utils/functions/removeImportRequire.md b/docs/api-reference/packages/utils/utils/functions/removeImportRequire.md
index 244c078..e2fdfb8 100644
--- a/docs/api-reference/packages/utils/utils/functions/removeImportRequire.md
+++ b/docs/api-reference/packages/utils/utils/functions/removeImportRequire.md
@@ -8,7 +8,7 @@
 
 > **removeImportRequire**(`content`): `string`
 
-Defined in: [packages/utils/utils.js:16](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/utils/utils.js#L16)
+Defined in: [packages/utils/utils.js:16](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/utils/utils.js#L16)
 
 Removes import require, and export statements from a string.
 
diff --git a/docs/api-reference/packages/utils/utils/functions/validateBodyParams.md b/docs/api-reference/packages/utils/utils/functions/validateBodyParams.md
index 1452812..054440d 100644
--- a/docs/api-reference/packages/utils/utils/functions/validateBodyParams.md
+++ b/docs/api-reference/packages/utils/utils/functions/validateBodyParams.md
@@ -8,7 +8,7 @@
 
 > **validateBodyParams**(`body`, ...`requiredParams`): `object`
 
-Defined in: [packages/utils/utils.js:125](https://github.com/GTPSHAX/modul-ajar-generator/blob/d4b0e01a4a3d86231cbebd8dec7d9bc8aedf2a93/packages/utils/utils.js#L125)
+Defined in: [packages/utils/utils.js:125](https://github.com/GTPSHAX/modul-ajar-generator/blob/42ec3258b61b6f10fbbc19c487d848a7d8aaf16f/packages/utils/utils.js#L125)
 
 Validates that all required parameters are present in the request body.
 
diff --git a/packages/handlers/handle-cfcaptcha-validation.js b/packages/handlers/handle-cfcaptcha-validation.js
new file mode 100644
index 0000000..45ab5b2
--- /dev/null
+++ b/packages/handlers/handle-cfcaptcha-validation.js
@@ -0,0 +1,67 @@
+/**
+ * Handles Cloudflare Turnstile validation by verifying the Turnstile response token with the Cloudflare service.
+ * @param {any} body - The request body containing the Turnstile response token.
+ * @param {string|null} [remoteip=null] - The visitor's IP address (optional).
+ * @returns {Promise<boolean>} - A promise that resolves to true if the Turnstile validation is successful, or false otherwise.
+ */
+const handleCloudflareCaptchaValidation = async (body, remoteip = null) => {
+  const secret = process.env.CLOUDFLARE_TURNSTILE_SECRET_KEY
+  if (!secret || secret === 'undefined') {
+    console.warn('Bypassing Cloudflare Turnstile validation because CLOUDFLARE_TURNSTILE_SECRET_KEY is not set in environment variables.')
+    return true
+  }
+
+  const { 'cf-turnstile-response': turnstileResponse } = body
+  if (!turnstileResponse || typeof turnstileResponse !== 'string') {
+    console.warn('Cloudflare Turnstile response token is missing or invalid in the request body.')
+    return false
+  }
+
+  // Token characteristics: Maximum length 2048 characters
+  if (turnstileResponse.length > 2048) {
+    console.warn('Cloudflare Turnstile response token is too long.')
+    return false
+  }
+
+  const controller = new AbortController()
+  const timeoutId = setTimeout(() => controller.abort(), 10000)
+
+  try {
+    const response = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        secret,
+        response: turnstileResponse,
+        ...(remoteip && { remoteip })
+      }),
+      signal: controller.signal
+    })
+
+    const result = await response.json()
+
+    if (!result.success) {
+      console.error('Turnstile validation failed:', result['error-codes'])
+      return false
+    }
+
+    return true
+  } catch (/** @type {Error | unknown} */ error) {
+    if (error instanceof Error) {
+      if (error.name === 'AbortError') {
+        console.error('Turnstile validation timeout')
+      } else {
+        console.error('Error validating Cloudflare Turnstile:', error)
+      }
+    } else {
+      console.error('Unknown error validating Cloudflare Turnstile:', error)
+    }
+    return false
+  } finally {
+    clearTimeout(timeoutId)
+  }
+}
+
+export default handleCloudflareCaptchaValidation
diff --git a/packages/handlers/handle-generate-docx.js b/packages/handlers/handle-generate-docx.js
index 4090734..6aed508 100644
--- a/packages/handlers/handle-generate-docx.js
+++ b/packages/handlers/handle-generate-docx.js
@@ -10,6 +10,7 @@ import * as docx from 'docx'
 import * as docxConfig from '../scripts/docx/docx-config.js'
 import * as docxApi from '../scripts/docx/docx-api.js'
 import * as docxCoverPage from '../scripts/docx/docx-cover-page.js'
+import handleCloudflareCaptchaValidation from './handle-cfcaptcha-validation.js'
 
 const __dirname = import.meta.dirname
 
@@ -122,13 +123,19 @@ function buildRencanaKegiatan (body, kegiatanKeys) {
  * Handles the generation of a DOCX document based on the provided body data.
  *
  * @param {any} body
+ * @param {any} req
  * @returns {Promise<{status: number, data?: any, message?: string}>}
  */
-const handleGenerateDocx = async (body) => {
+const handleGenerateDocx = async (body, req) => {
+  const remoteip = req.ip || req.headers['x-forwarded-for'] || req.socket.remoteAddress
+
   // Validate hCaptcha response before proceeding with document generation
   if (!await handleHCaptchaValidation(body)) {
     return { status: 400, message: 'hCaptcha validation failed' }
   }
+  if (!await handleCloudflareCaptchaValidation(body, remoteip)) {
+    return { status: 400, message: 'Cloudflare Captcha validation failed' }
+  }
 
   const template = 'original' // TODO: Make this dynamic based on request parameter if multiple templates are supported in the future'
   const kegiatanKeys = Object.keys(body).filter(key => !FILTER_KEYS.includes(key))
diff --git a/packages/handlers/index.js b/packages/handlers/index.js
index 4935e1d..47fd41f 100644
--- a/packages/handlers/index.js
+++ b/packages/handlers/index.js
@@ -1,3 +1,4 @@
 /* eslint-disable import/export */
 export * from './handle-autofill-ai.js'
 export * from './handle-generate-docx.js'
+export * from './handle-cfcaptcha-validation.js'
diff --git a/resources/views/home.ejs b/resources/views/home.ejs
index 34be33f..c1f5df1 100644
--- a/resources/views/home.ejs
+++ b/resources/views/home.ejs
@@ -377,7 +377,9 @@
         </button>
       </div>
 
-      <% if (META.HCAPTCHA_SITE_KEY) { %>
+      <% if (META.CLOUDFLARE_TURNSTILE_SITE_KEY) { %>
+        <div class="cf-turnstile mt-4" data-sitekey="<%= META.CLOUDFLARE_TURNSTILE_SITE_KEY %>"></div>
+      <% } else if (META.HCAPTCHA_SITE_KEY) { %>
         <div class="h-captcha mt-4" data-sitekey="<%= META.HCAPTCHA_SITE_KEY %>"></div>
       <% } %>
       
@@ -394,7 +396,9 @@
     </div>
   </template>
 
-  <% if (META.HCAPTCHA_SITE_KEY) { %>
+  <% if (META.CLOUDFLARE_TURNSTILE_SITE_KEY) { %>
+    <script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
+  <% } else if (META.HCAPTCHA_SITE_KEY) { %>
     <script src="https://js.hcaptcha.com/1/api.js" async defer></script>
   <% } %>
   <script src="/js/SwalWrapper.js"></script>
diff --git a/resources/views/layout/main.ejs b/resources/views/layout/main.ejs
index 9b54a01..a3ad66d 100644
--- a/resources/views/layout/main.ejs
+++ b/resources/views/layout/main.ejs
@@ -8,6 +8,9 @@
   <link rel="stylesheet" href="/css/main.css">
   <link rel="stylesheet" href="/sweetalert2.min.css">
 
+
+  <link rel="preconnect" href="https://challenges.cloudflare.com" />
+
   <!-- Prerequisite scripts -->
   <script src="/sweetalert2.js"></script>