Challenge pages
The types of available challenge pages function similarly. The main difference between the challenges are when and if an interaction is presented to the visitor.
- Managed challenges will rarely present the visitor with an interactive challenge, except in cases where Cloudflare cannot verify the legitimacy of the visitor.
- JavaScript challenges never present the visitor with an interactive challenge.
- Interactive challenges present the visitor with a simple and solvable challenge, such as selecting a checkbox, to verify their legitimacy.
Refer to the information below for more details on available challenges.
Managed challenges are where Cloudflare dynamically chooses the appropriate type of challenge based on the characteristics of a request. This helps avoid CAPTCHAs ↗, which also reduces the lifetimes of human time spent solving CAPTCHAs across the Internet.
Unless there are specific compatibility issues or other reasons to use other types of challenges, you should use managed challenges for your various custom rules.
With a JavaScript (JS) challenge, Cloudflare presents a challenge page that requires no interaction from a visitor except the JavaScript processed by their browser.
The visitor must wait until their browser finishes processing the JavaScript, which should be less than five seconds.
Interactive challenges require a visitor to interact with the interstitial challenge page, presenting the visitor with an interactive challenge to solve. Cloudflare does not recommend using Interactive Challenges. For more on why Cloudflare does not recommend using Interactive Challenge, in favor of Managed Challenge, refer to our blog post ↗.
When a request encounters a Cloudflare challenge page instead of the originally anticipated response, the challenge page response (regardless of the challenge page type) will have the cf-mitigated
header present and set to challenge
. This header can be leveraged to detect if a response was challenged when making fetch/XHR requests. This header provides a reliable way to identify whether a response is a challenge or not, enabling a web application to take appropriate action based on the result. For example, a front-end application encountering a response from the backend may check the presence of this header value to handle cases where challenge pages encountered unexpectedly.
For the cf-mitigated
header, challenge
is the only valid value. The header is set for all challenge page types.
To illustrate, here is a JavaScript code snippet that demonstrates how to use the cf-mitigated
header to detect whether a response was challenged:
fetch("/my-api-endpoint").then((response) => { if (response.headers.get("cf-mitigated") === "challenge") { // Handle challenged response } else { // Process response as usual }});
For additional help, refer to our FAQ.
If a visitor encounters a challenge, Cloudflare employees cannot remove that challenge. Only the website owner can configure their Cloudflare settings to stop the challenge being presented.
When observing a Cloudflare Challenge page, a visitor could:
- Successfully pass the challenge to visit the website.
- Request the website owner to allow their IP address.
- Scan their computer for malicious programs (it may be infected).
- Check their antivirus or firewall service to make sure it is not blocking access to the challenge resources (for example, images).
When a visitor solves a Cloudflare challenge - as part of a WAF custom rule or IP Access rule - you can set the Challenge Passage to prevent them from having to solve future challenges for a specified period of time.
When a visitor successfully solves a challenge, Cloudflare sets a cf_clearance
cookie in their browser. This cookie specifies the duration your website is accessible to that visitor.
When that visitor tries to access other parts of your website, Cloudflare evaluates the cookie before presenting another challenge. If the cookie is still valid, no challenges will be shown.
When Cloudflare evaluates a cf_clearance
cookie, a few extra minutes are included to account for clock skew. For XmlHTTP requests, an extra hour is added to the validation time to prevent breaking XmlHTTP requests for pages that set short lifetimes.
By default, the cf_clearance
cookie has a lifetime of 30 minutes. Cloudflare recommends a setting between 15 and 45 minutes.
To update the Challenge Passage (and the value of the cf_clearance
cookie):
- Log into the Cloudflare dashboard ↗.
- Select your account and domain.
- Go to Security > Settings.
- For Challenge Passage, select a duration.
The Challenge Passage does not apply to challenges issued by WAF managed rules. Also, Challenge Passage does not apply to rate limiting rules unless the rate limit is configured to issue a challenge.
Refer to supported languages for more information.
Cloudflare challenges take the favicon of your website using GET /favicon.ico
and displays it on the challenge page.
You can customize your favicon by using the HTML snippet below.
<link rel="shortcut icon" href="<FAVICON_LINK>" />
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark