How Challenges work
Challenges can be issued in three primary ways depending on which Cloudflare products or features are in use. Each method is designed to balance security with seamless visitor experience.
| Product | Challenge type(s) |
|---|---|
| WAF (custom rules, rate limiting rules, IP access rules) | Interstitial Challenge Page |
| Bot Management | JavaScript Detections |
| Bot Fight Mode, Super Bot Fight Mode | Interstitial Challenge Page |
| Turnstile | Embedded widget |
| HTTP DDoS attack protection | Any Challenge |
| Under Attack Mode | Managed Challenge |
Challenge Pages and Turnstile rely on the same underlying mechanism to issue challenges to your website or application's visitors.
JavaScript Detections is an optional feature within Bot Management. When enabled, Cloudflare injects a JavaScript snippet into HTML responses to gather client-side signals. Unlike Challenge Pages, JavaScript Detections runs on every HTML request without pausing or interrupting the visitor. It populates a pass/fail result (cf.bot_management.js_detection.passed) that you can then act on using a WAF custom rule.
Refer to the following pages for more information on the different challenge types:
Cloudflare Challenges cannot support the following:
- Browser extensions that modify the browser's
User-Agentvalue or Web APIs such asCanvasandWebGL. - Implementations where a domain serves a challenge page originally requested for another domain.
- Challenge Pages cannot be embedded in cross-origin iframes.
- Client software where the solve request of a Managed Challenge comes from a different IP than the original IP a Challenge request was issued to. For example, if you receive the Challenge from one IP and solve it using another IP, the solve is not valid and you may encounter a Challenge loop.