Challenges
A challenge is a security mechanism that Cloudflare uses to verify whether a visitor to your site is a real human and not a bot or automated script.
When a challenge is issued, Cloudflare asks the browser to perform a series of checks that help confirm the visitor’s legitimacy. This process involves evaluating client side signals or asking a visitor to take minimal action such as checking a box. Challenges are designed to protect your application without introducing unnecessary friction. Most visitors will pass challenges automatically without interaction.
Cloudflare does not use CAPTCHA puzzles or visual tests like selecting objects or typing distorted characters. All challenge types are lightweight, privacy-preserving, and optimized for real-world traffic.
Challenges can be issued in three primary ways depending on which Cloudflare products or features are in use. Each method is designed to balance security with seamless visitor experience.
| Product | Challenge type(s) |
|---|---|
| WAF (custom rules, rate limiting rules, IP access rules) | Interstitial challenge page |
| Bot Management | JavaScript detection |
| Bot Fight Mode, Super Bot Fight Mode | Interstitial challenge page |
| Turnstile | Embedded widget |
| HTTP DDoS attack protection | Any challenge |
| Under Attack Mode | Managed challenge |
Turnstile is Cloudflare’s CAPTCHA-alternative solution. You can embed Turnstile as a widget on your site, where it runs a challenge directly in the visitor’s browser.
Turnstile does not pause the request or interrupt the user’s experience. Instead, the widget runs a client-side challenge in the background. In most cases, nothing further is required from the visitor. When needed, Turnstile may display a simple checkbox that the visitor must click to proceed.
After the challenge passes, Turnstile issues a token that you must validate using the siteverify API before completing a sensitive action like login, sign up, or other form submissions.
When a challenge is triggered by a rule in the Web Application Firewall (WAF), Bot Management, or Rate Limiting, Cloudflare presents a full-page interstitial challenge page. The request is paused while Cloudflare evaluates the browser environment. In some cases, the visitor may be asked to check a box for further probing.
If the challenge passes, the original request continues to your origin. If the challenge fails or cannot be completed, the visitor is presented with another interstitial challenge page.
In Bot Management, Cloudflare can issue a JavaScript challenge that runs silently in the browser. This check validates that the visitor supports and executes standard browser JavaScript, and provides a lightweight and privacy-preserving way to distinguish between bots and real users without adding friction to the experience.
The script runs a short set of tasks and, if successful, sets a cf_clearance cookie indicating that the visitor passed the check. It is exposed as the cf.bot_management.js_detection.passed field that you can use in WAF custom rules to take further action — such as issuing an interstitial challenge page.
If a visitor was unable to run JavaScript detection, the cf.bot_management.js_detection.passed field is set to False. Cloudflare advises that you should never block a request based on this field unless you are certain that the visitor has run JavaScript detections.
When a user is presented with a challenge page, Cloudflare decides what challenges need to be solved to prove they are human using results from the Private Access Token (PAT). If a user presents a token, they will have an easier time solving the challenge.
While some challenges are computationally complex or require interactivity, most of the challenges served are invisible to the user.
The challenge page is an interstitial page and users will see it regardless of having a valid PAT or not. A PAT does not automatically solve a challenge. It prevents certain challenges from being issued.
Cloudflare challenges cannot support the following:
- Browser extensions that modify the browser's
User-Agentvalue or Web APIs such asCanvasandWebGL. - Implementations where a domain serves a challenge page originally requested for another domain.
- Challenge pages cannot be embedded in cross-origin iframes.
- Client software where the solve request of a Managed Challenge comes from a different IP than the original IP a challenge request was issued to. For example, if you receive the challenge from one IP and solve it using another IP, the solve is not valid and you may encounter a challenge loop.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark