How challenges work
Challenges can be issued in three primary ways depending on which Cloudflare products or features are in use. Each method is designed to balance security with seamless visitor experience.
| Product | Challenge type(s) |
|---|---|
| WAF (custom rules, rate limiting rules, IP access rules) | Interstitial challenge page |
| Bot Management | JavaScript detection |
| Bot Fight Mode, Super Bot Fight Mode | Interstitial challenge page |
| Turnstile | Embedded widget |
| HTTP DDoS attack protection | Any challenge |
| Under Attack Mode | Managed challenge |
Turnstile is Cloudflare’s CAPTCHA-alternative solution. You can embed Turnstile as a widget on your site, where it runs a challenge directly in the visitor’s browser.
Turnstile does not pause the request or interrupt the user’s experience. Instead, the widget runs a client-side challenge in the background. In most cases, nothing further is required from the visitor. When needed, Turnstile may display a simple checkbox that the visitor must click to proceed.
After the challenge passes, Turnstile issues a token that you must validate using the siteverify API before completing a sensitive action like login, sign up, or other form submissions.
When a challenge is triggered by a rule in the Web Application Firewall (WAF), Bot Management, or Rate Limiting, Cloudflare presents a full-page interstitial challenge page. The request is paused while Cloudflare evaluates the browser environment. In some cases, the visitor may be asked to check a box for further probing.
If the challenge passes, the original request continues to your origin. If the challenge fails or cannot be completed, the visitor is presented with another interstitial challenge page.
In Bot Management, JavaScript detections run silently in the browser to validate that the visitor supports and executes standard browser JavaScript, and provides a lightweight and privacy-preserving way to distinguish between bots and real users without adding friction to the experience.
The script runs a short set of tasks and, if successful, sets a cf_clearance cookie indicating that the visitor passed the check. This is exposed as the cf.bot_management.js_detection.passed field that you can use in WAF custom rules to take further action — such as issuing an interstitial challenge page.
If a visitor was unable to run JavaScript detection, the cf.bot_management.js_detection.passed field is set to False. Cloudflare advises that you should never block a request based on this field unless you are certain that the visitor has run JavaScript detections.
Cloudflare challenges cannot support the following:
- Browser extensions that modify the browser's
User-Agentvalue or Web APIs such asCanvasandWebGL. - Implementations where a domain serves a challenge page originally requested for another domain.
- Challenge pages cannot be embedded in cross-origin iframes.
- Client software where the solve request of a Managed Challenge comes from a different IP than the original IP a challenge request was issued to. For example, if you receive the challenge from one IP and solve it using another IP, the solve is not valid and you may encounter a challenge loop.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark