Cloudflare’s Security Level uses the IP reputation of a visitor to decide whether to present a page. Once the visitor enters the correct Managed Challenge, they receive the appropriate website resources.
|Security Level||Threat Scores||Description|
|Off (Enterprise customers only)||N/A||Does not challenge IP addresses.|
|Essentially off||greater than 49||Only challenges IP addresses with the worst reputation.|
|Low||greater than 24||Challenges only the most threatening visitors.|
|Medium||greater than 14||Challenges both moderate threat visitors and the most threatening visitors.|
|High||greater than 0||Challenges all visitors that exhibit threatening behavior within the last 14 days.|
|I’m Under Attack!||N/A||Only for use if your website is currently under a DDoS attack.|
Customize security level
Cloudflare sets Security Level to Medium by default.
To update the Security Level for your entire zone:
- Log into the .
- Select your account and zone.
- Go to Security > Settings.
- For Security Level, select an option.
If you wanted to set the Security level more selectively:
To prevent bot IPs from attacking a website:
- A new website owner might set a Medium or High Security Level and lower to a value below 30 minutes to ensure that Cloudflare is constantly protecting the site.
- An experienced website administrator confident in their security settings might set Security Level to Essentially Off or Low while setting a higher for a week, month, or even year to provide a less obtrusive visitor experience.
Only use mode when a website is under a DDoS attack. I’m Under Attack! mode may affect some actions on your domain, such as your API traffic. Set a custom Security Level for your API or any other part of your domain by creating a for that portion of your site traffic.