Skip to content

Challenges

When a website is protected by Cloudflare, there are several occasions when it will challenge visitor traffic:

  • The visitor’s IP address has shown suspicious behavior online (as tracked by Project Honeypot).
  • The website owner has blocked the country associated with the visitor’s IP address.
  • The visitor’s actions have activated a WAF custom rule enabled by the website owner.

If the visitor passes the challenge, their request is allowed. If they fail, the request will be blocked.


Available challenges

Managed challenges are where Cloudflare dynamically chooses the appropriate type of challenge based on the characteristics of a request. This helps avoid CAPTCHAs, which also reduces the lifetimes of human time spent solving CAPTCHAs across the Internet.

Unless there are specific compatibility issues or other reasons to use other types of challenges, you should use managed challenges for your various custom rules.

Depending on the characteristics of a request, Cloudflare will choose an appropriate type of challenge, which may include but is not limited to:

  • A non-interactive challenge page (similar to the current JS Challenge).
  • A custom interactive challenge (such as click a button).
  • Private Access Tokens (using recent Apple operating systems).

Available products

Currently, Managed Challenge actions are available in the following security products:

JS challenge

With a JS challenge, Cloudflare presents challenge page that requires no interaction from a visitor, but rather JavaScript processing by their browser.

The visitor will have to wait until their browser finishes processing the JavaScript, which should be less than five seconds.

Interactive Challenge

Interactive challenges require a visitor to interact with the challenge page, presenting the visitor with an interactive challenge to solve. Cloudflare does not recommend using Interactive Challenges.

For more on why Cloudflare does not recommend using Interactive Challenge, in favor of Managed Challenge, refer to our blog.


Browser support

When your application sends a challenge, your visitors either receive a non-interactive or an interactive challenge page.

Supported browsers

If your visitors are using an up-to-date version of a major browser — such as Chrome, Firefox, Safari, Microsoft Edge, Chrome and Safari on mobile — they will receive the challenge correctly.

Challenges are not supported by Microsoft Internet Explorer.

If your visitors encounter issues using a major browser besides Internet Explorer, they should upgrade their browser.

Browser extensions

If you have browser extensions, they might lead to unpassable challenge loops. To fix, disable your extensions and reload the page.

Mobile device emulation

Challenges are not supported when device emulation is enabled on a browser, for example, using the browser’s developer tools.


Resolve a challenge

If a visitor encounters a challenge, Cloudflare employees cannot remove that challenge. Only the website owner can configure their Cloudflare settings to stop the challenge being presented.

When observing a Cloudflare Challenge page, a visitor could:

  • Successfully pass the challenge to visit the website.
  • Request the website owner to allow their IP address.
  • Scan their computer for malicious programs (it may be infected).
  • Check their antivirus or firewall service to make sure it is not blocking access to the challenge resources (for example, images).

Detecting a challenge page response

When a request encounters a Cloudflare challenge page instead of the originally anticipated response, the challenge page response (regardless of the challenge page type) will have the cf-mitigated header present and set to challenge. This header can be leveraged to detect if a response was challenged when making fetch/XHR requests. This header provides a reliable way to identify whether a response is a challenge or not, enabling a web application to take appropriate action based on the result. For example, a front-end application encountering a response from the backend may check the presence of this header value to handle cases where challenge pages encountered unexpectedly.

For the cf-mitigated header, challenge is the only valid value. The header is set for all challenge page types.

To illustrate, here is a JavaScript code snippet that demonstrates how to use the cf-mitigated header to detect whether a response was challenged:

fetch("/my-api-endpoint").then((response) => {
if (response.headers.get("cf-mitigated") === "challenge") {
// Handle challenged response
} else {
// Process response as usual
}
});

For additional help, refer to our FAQ for Challenges.


Private Access Tokens

When a user is presented with a challenge page, Cloudflare decides what challenges need to be solved to prove they are human. While some challenges are computationally complex or require interactivity, most of the challenges served are invisible to the user.

Cloudflare uses results from the Private Access Token (PAT) to decide what challenges users will see next. If a user presents a token, they will have an easier time solving the challenge.

The challenge page is an interstitial page and users will see it regardless of having a valid PAT or not. A PAT does not automatically solve a challenge. It prevents certain challenges from being issued.


Proxied hostnames

If your hostname is proxied through Cloudflare, visitors may experience challenges on your webpages.

Cloudflare issues challenges through the Challenge Platform, which is the same underlying technology powering Turnstile.

In contrast to our Challenge page offerings, Turnstile allows you to run challenges anywhere on your site in a less-intrusive way without requiring the use of Cloudflare’s CDN.


Multi-language support

Cloudflare Challenge Platform can detect multiple languages and display the localized challenge experience, which is determined by navigator.language value. The Navigator.language read-only property returns a string representing the preferred language of the user, usually the language of the browser user interface. The supported languages are currently English, Arabic, Chinese (Simplified), Chinese (Traditional), Dutch, French, German, Indonesian, Italian, Japanese, Korean, Persian/Farsi, Polish, Portuguese, Russian, Spanish, Turkish.


Favicon customization

Cloudflare challenges take the favicon of your website using GET /favicon.ico and displays it on the challenge page.

You can customize your favicon by using the HTML snippet below.

HTML element
<link rel="shortcut icon" href="<FAVICON_LINK>" />

Custom Content Security Policy not supported

You cannot set your own Content Security Policy (CSP) and/or Referer-Policy via meta tags or Transform Rules in challenge pages.


Common issues

Deprecated browser support

Challenges are not supported by Microsoft Internet Explorer. If you are currently using Internet Explorer, try using another modern web browser (Chrome, Safari, Firefox). If you are already using a modern web browser, make sure it is using the latest version.

Referer header

When a request is sent with a referer header, the user will receive a challenge page as a response. Upon solving the challenge page, the request with the referer is sent to the origin, and the response to the request is served to the user. The JavaScript on the response page may read the value of document.referer, but it will be inaccurate. This affects tools such as Google Analytics, which reads the referer from JavaScript.

You can add tracking scripts to challenge pages to capture the correct referer header on the initial request.

Cross-origin resource sharing (CORS) preflight requests

Cross-origin resource sharing (CORS) preflight requests, or OPTIONS, exclude user credentials that include cookies. As a result, the cf_clearance cookie will not be sent with the request, causing it to fail to bypass a challenge page (non-interactive, managed, or interactive challenge).


Limitations

Cloudflare challenges cannot support the following:

  • Browser extensions that modify the browser’s User-Agent value or Web APIs such as Canvas and WebGL.
  • Implementations where a domain serves a challenge page originally requested for another domain.
  • Challenge pages cannot be embedded in cross-origin iframes.
  • Client software where the solve request of a Managed Challenge comes from a different IP than the original IP a challenge request was issued to. For example, if you receive the challenge from one IP and solve it using another IP, the solve is not valid and you may encounter a challenge loop.