Cloudflare Docs
Visit WAF on GitHub
Set theme to dark (⇧+D)

Security Level

Cloudflare’s Security Level uses the IP reputation of a visitor to decide whether to present a Managed Challenge page. Once the visitor enters the correct Managed Challenge, they receive the appropriate website resources.

​​ Security levels

IP reputation is calculated based on Project Honeypot, external public IP information, as well as internal threat intelligence from our WAF managed rules and DDoS.

Security LevelThreat ScoresDescription
Off (Enterprise customers only)N/ADoes not challenge IP addresses.
Essentially offgreater than 49Only challenges IP addresses with the worst reputation.
Lowgreater than 24Challenges only the most threatening visitors.
Mediumgreater than 14Challenges both moderate threat visitors and the most threatening visitors.
Highgreater than 0Challenges all visitors that exhibit threatening behavior within the last 14 days.
I’m Under Attack!N/AOnly for use if your website is currently under a DDoS attack.

​​ Customize security level

Cloudflare sets Security Level to Medium by default.

​​ Update globally

To update the Security Level for your entire zone:

  1. Log into the Cloudflare dashboard.
  2. Select your account and zone.
  3. Go to Security > Settings.
  4. For Security Level, select an option.

​​ Update selectively

If you wanted to set the Security level more selectively:

​​ Recommendations

To prevent bot IPs from attacking a website:

  • A new website owner might set a Medium or High Security Level and lower Challenge Passage to a value below 30 minutes to ensure that Cloudflare is constantly protecting the site.
  • An experienced website administrator confident in their security settings might set Security Level to Essentially Off or Low while setting a higher Challenge Passage for a week, month, or even year to provide a less obtrusive visitor experience.

Only use I’m Under Attack! mode when a website is under a DDoS attack. I’m Under Attack! mode may affect some actions on your domain, such as your API traffic.  Set a custom Security Level for your API or any other part of your domain by creating a Configuration Rule for that portion of your site traffic.