Challenges

Learning Focus

By the end of this lesson you will understand the different challenge types Cloudflare uses, when each is triggered, and how to configure challenge rules.

What Are Cloudflare Challenges?

Challenges are tests that Cloudflare presents to visitors when it suspects they might be bots. Depending on the confidence level, the challenge can be invisible, a simple browser check, or an interactive puzzle.

Challenges are triggered by firewall rules, security settings, DDoS protection, and Bot Fight Mode.

flowchart TD
    REQUEST["Incoming Request"] --> ANALYSIS{"Cloudflare\nThreat Analysis"}
    ANALYSIS -->|"High confidence\n(likely human)"| PASS["✅ Pass Through"]
    ANALYSIS -->|"Medium confidence"| MANAGED["Managed Challenge\n(invisible or interactive)"]
    ANALYSIS -->|"Low confidence\n(likely bot)"| JS["JS Challenge\n(browser test)"]
    ANALYSIS -->|"Very low confidence"| BLOCK["❌ Block"]
    MANAGED -->|"Pass"| PASS
    JS -->|"Pass"| PASS

    style PASS fill:#16a34a,color:#fff,stroke:#15803d
    style BLOCK fill:#dc2626,color:#fff,stroke:#b91c1c
    style MANAGED fill:#f6821f,color:#fff,stroke:#e5711e

Challenge Types

1. Managed Challenge (Recommended)

Cloudflare chooses the best challenge based on the visitor's characteristics. In most cases, valid browsers pass without any visible challenge.

Aspect	Details
User friction	Usually none — invisible for most real browsers
How it works	Cloudflare runs background checks (JavaScript execution, browser fingerprinting, behavior analysis). If confident, the visitor passes silently. If uncertain, a checkbox or puzzle is shown.
When to use	Default for most rules — best balance of security and UX

2. JS Challenge

Forces the browser to execute a JavaScript computation. This takes ~5 seconds and displays an interstitial page.

Aspect	Details
User friction	Moderate — ~5 second delay with an interstitial page
How it works	Cloudflare serves a page that runs JavaScript. If the browser executes it correctly, the visitor is passed through. Simple bots and scripts cannot execute JavaScript.
When to use	When you want to block basic bots that don't run JavaScript

3. Interactive Challenge

A CAPTCHA-like puzzle that the user must solve. This is the most intrusive challenge type.

Aspect	Details
User friction	High — user must interact with a puzzle
How it works	A Turnstile-style challenge or legacy CAPTCHA is presented
When to use	High-security endpoints (login, payment, sensitive forms)

Using Challenges in Firewall Rules

You can configure Custom Rules (formerly Firewall Rules) to challenge traffic based on conditions:

Example: Challenge Specific Countries

When: ip.geoip.country in {"RU" "CN" "VN"}
Then: Managed Challenge

Example: Challenge Non-Browser User-Agents

When: not http.user_agent contains "Mozilla"
Then: JS Challenge

Example: Challenge High-Traffic IPs

When: ip.src in {203.0.113.0/24}
Then: Managed Challenge

Free Plan Limits

Feature	Free Plan
Custom Rules	5 rules
Available actions	Block, JS Challenge, Managed Challenge, Skip, Log
Expression builder	✅ Visual builder available

Security Level

Cloudflare has a global Security Level setting that determines how aggressively challenges are presented:

Level	Behavior	Use Case
Essentially Off	No challenges for any visitor	Development/testing only
Low	Only challenges the most threatening visitors	High-traffic sites that can't afford false positives
Medium	Challenges visitors with moderate threat scores	Default — good balance
High	Challenges most visitors with any threat signal	When experiencing attacks
I'm Under Attack	Challenges every visitor with a JS challenge	Active DDoS attack — emergency use only

Set this at Security → Settings → Security Level.

Challenge Passage

When a visitor passes a challenge, Cloudflare sets a cookie so they don't have to complete the challenge on every page load. You can configure how long this lasts:

Setting	Default	Range
Challenge Passage	30 minutes	5 minutes to 1 year

Set this at Security → Settings → Challenge Passage.

tip

For most sites, 30 minutes is appropriate. Increase for sites where users have long sessions (e.g., dashboards, SaaS apps). Decrease for high-security applications.

Common Misconceptions

"Challenges block all bots"

Reality: Sophisticated bots can solve challenges using headless browsers. Challenges are effective against low-to-medium sophistication bots. For advanced bot management, the paid Bot Management product is needed.

"JS Challenge is invisible to users"

Reality: JS Challenge shows a ~5 second interstitial page. If you want invisible challenges, use Managed Challenge, which passes most real browsers silently.

"I should set Security Level to High all the time"

Reality: High security level will challenge many legitimate visitors, potentially hurting your site's usability and conversion rate. Use Medium by default and increase only during attacks.

Key Takeaways

Managed Challenge is the recommended default — it's invisible for most real users.
JS Challenge blocks simple bots but adds a ~5 second delay.
Custom Rules (5 free) let you apply challenges based on country, IP, user-agent, and more.
Security Level controls global challenge aggressiveness — keep it at Medium for most sites.
Challenge Passage cookies prevent users from being re-challenged on every page.

What's Next

Continue to Super Bot Fight Mode to learn about automated bot detection.

What Are Cloudflare Challenges?​

Challenge Types​

1. Managed Challenge (Recommended)​

2. JS Challenge​

3. Interactive Challenge​

Using Challenges in Firewall Rules​

Example: Challenge Specific Countries​

Example: Challenge Non-Browser User-Agents​

Example: Challenge High-Traffic IPs​

Free Plan Limits​

Security Level​

Challenge Passage​

Common Misconceptions​

"Challenges block all bots"​

"JS Challenge is invisible to users"​

"I should set Security Level to High all the time"​

Key Takeaways​

What's Next​