Skip to content
Cloudflare Docs

FAQ

Why am I being challenged on a Cloudflare-protected site?

Cloudflare issues challenges to website visitors to protect against malicious activity such as bot attacks and DDoS attacks. Key reasons include:

  • High threat score: IP addresses with a high-risk score trigger challenges.
  • IP reputation: If your IP has a history of suspicious activity, it may be flagged.
  • Bot detection: Automated traffic resembling bots is filtered by Cloudflare.
  • Web Application Firewall (WAF) custom rules: Site owners may set rules targeting specific regions or user agents.
  • Browser Integrity Check: Cloudflare verifies that browsers meet certain standards.
  • Challenge Passage: Technologies like Privacy Pass reduce the frequency of repeated challenges.

To avoid repeated challenges, ensure your browser is up to date, disable any privacy tools that might block standard browser headers, or use a different network connection if your current one has a poor IP reputation.

How do I exclude certain requests from being blocked or challenged?

In certain situations you want to enforce a blocking or challenging action but make an exception for specific types of requests.

Cloudflare supports two methods of allowing requests using WAF custom rules:

  • Exclude a type of request from being blocked or challenged in a custom rule by updating the rule expression, for example adding an exclusion based on IP address, ASN, or country.
  • Create a separate custom rule with a Skip action. This skip rule must appear before the rule with the block/challenge action in the rules list.

The examples below illustrate a few possible approaches.

Example 1

Exclude multiple IP addresses from a blocking/challenging rule that assesses attack score.

  • Basic rule, no exclusion:

    • Expression: (http.host eq "example.com" and cf.waf.score lt 20)
    • Action: Block (or a challenge action)

  • Rule that excludes IP addresses from being blocked/challenged:

    • Expression: (http.host eq "example.com" and cf.waf.score lt 20) and not (ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24})
    • Action: Block (or a challenge action)

  • Two rules to skip remaining custom rules for specific IPs and block the rest.

    1. Rule 1:

      • Expression: ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24}
      • Action: Skip > All remaining custom rules

    2. Rule 2:

      • Expression: (http.host eq "example.com" and cf.waf.score lt 20)
      • Action: Block (or a challenge action)

Example 2

Block Amazon Web Services (AWS) and Google Cloud Platform (GCP) because of large volumes of undesired traffic, but allow Googlebot and other known bots that Cloudflare validates.

  • Basic rule, no exclusion:

    • Expression: (ip.src.asnum in {16509 15169} and not cf.client.bot)
    • Action: Block (or a challenge action)

  • Rule that excludes IP addresses from being blocked/challenged:

    • Expression: (ip.src.asnum in {16509 15169} and not cf.client.bot) and not (ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24})
    • Action: Block (or a challenge action)

  • Two rules to skip remaining custom rules for specific IPs and block the rest.

    1. Rule 1:

      • Expression: ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24}
      • Action: Skip > All remaining custom rules

    2. Rule 2:

      • Expression: (ip.src.asnum in {16509 15169} and not cf.client.bot)
      • Action: Block (or a challenge action)

Do the Challenge actions support content types other than HTML (for example, AJAX or XHR requests)?

Previously, unless you customize your front-end application, any AJAX request that is challenged will fail because AJAX calls are not rendered in the DOM.

Now, you can opt-in to Turnstile’s Pre-Clearance cookies. This allows you to issue a challenge early in your web application flow and pre-clear users to interact with sensitive APIs. Clearance cookies issued by a Turnstile widget are automatically applied to the Cloudflare zone that the Turnstile widget is embedded on, with no configuration necessary. The duration of the clearance cookie’s validity is controlled by the zone-specific configurable Challenge Passage security setting.

Why would I not find any failed challenges?

Users do not complete all challenges. Cloudflare issues challenges that are never answered — only 2-3% of all served challenges are usually answered.

There are multiple reasons for this:

  • Users give up on a challenge.
  • Users try to solve a challenge but cannot provide an answer.
  • Users keep refreshing the challenge, but never submit an answer.
  • Cloudflare receives a malformed challenge answer.

You can calculated the number of failed challenges as follows: number of challenges issued - number of challenges solved.

Why do I have matches for a firewall rule that was not supposed to match the request?

Make sure you are looking at the correct request.

Only requests that triggered a challenge will match the request parameters of the rule. Subsequent requests with a [js]challengeSolved action may not match the parameters of the rule — for example, the bot score may have changed because the user solved a challenge.

The "solved" action is an informative action about a previous request that matched a rule. This action states that "previously a rule had matched a request with the action set to Interactive Challenge or JS Challenge and now that challenge was answered."

Are custom Content Security Policies (CSP) or custom error pages supported?

You cannot set your own Content Security Policy (CSP) and/or Referer-Policy via meta tags or Transform Rules in challenge pages.

Origin headers also cannot be modified for challenge pages.

If you are setting any of these headers using Transform Rules for your entire website, you must prefix the rule with not (starts_with(http.request.uri.path, "/cdn-cgi/challenge-platform/") or cf.response.error_type in {"managed_challenge" "iuam" "legacy_challenge" "country_challenge"}) in the rule expression to avoid issues with challenges.