---
title: Challenges
description: When a Challenge is issued, Cloudflare asks the browser to perform a series of checks that help confirm the visitor's legitimacy. This process involves evaluating client-side signals (data gathered from the visitor's browser environment) or asking a visitor to take minimal action such as checking a box or selecting a button.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Challenges

Challenges are security mechanisms used by Cloudflare to verify whether a visitor to your site is a real human and not a bot or automated script.

When a Challenge is issued, Cloudflare asks the browser to perform a series of checks that help confirm the visitor's legitimacy. This process involves evaluating client-side signals (data gathered from the visitor's browser environment) or asking a visitor to take minimal action such as checking a box or selecting a button.

Challenges are designed to protect your application without introducing unnecessary friction. Most visitors will pass Challenges automatically without interaction.

Cloudflare does not use CAPTCHA puzzles or visual tests like selecting objects or typing distorted characters. All challenge types are lightweight, privacy-preserving, and optimized for real-world traffic.

---

## Related products

**[Turnstile](https://developers.cloudflare.com/turnstile/)** 

Use Cloudflare's smart CAPTCHA alternative to run less intrusive Challenges.

**[Bots](https://developers.cloudflare.com/bots/)** 

Cloudflare bot solutions identify and mitigate automated traffic to protect your domain from bad bots.

**[WAF](https://developers.cloudflare.com/waf/)** 

Get automatic protection from vulnerabilities and the flexibility to create custom rules.

**[DDoS Protection](https://developers.cloudflare.com/ddos-protection/)** 

Detect and mitigate Distributed Denial of Service (DDoS) attacks using Cloudflare's Autonomous Edge.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}}]}
```

---

---
title: Troubleshooting
description: If your hostname is proxied through Cloudflare, visitors may experience challenges on your webpages.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/troubleshooting/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Troubleshooting

## Common issues

### Proxied hostnames

If your hostname is proxied through Cloudflare, visitors may experience challenges on your webpages.

Cloudflare issues challenges through the [Challenge Platform](https://developers.cloudflare.com/cloudflare-challenges/), which is the same underlying technology powering [Turnstile](https://developers.cloudflare.com/turnstile/).

In contrast to our Challenge page offerings, Turnstile allows you to run challenges anywhere on your site in a less-intrusive way without requiring the use of Cloudflare's CDN.

### Deprecated browser support

Challenges are not supported by Microsoft Internet Explorer. If you are currently using Internet Explorer, try using another modern web browser (Chrome, Safari, Firefox). If you are already using a modern web browser, make sure it is using the latest version.

### Referer header

Your visitor's HTTP request contains a referer header set to the website that they came from. When they encounter and solve a Challenge Page, the request with the referer is sent to the origin, and the response to the request is served to the user. The JavaScript on the response page may read the value of `document.referer`, but it will not be accurate.

For example, a visitor coming from a given website is challenged by a [WAF rule](https://developers.cloudflare.com/waf/custom-rules/) via an interstitial Challenge Page served by your domain. Once the visitor loads the website's home page, the `document.referer` value is your domain, not the origin website.

This affects tools like Google Analytics, which reads the referer from JavaScript, since it replaces the previous website that visitors came from.

You can add tracking scripts, such as the Google Tag Manager Javascript, within an existing [Challenge Page](https://developers.cloudflare.com/rules/custom-errors/) to capture the correct referer header on the initial request.

Example JavaScript

```

<script>

    (function () {

      const gaIds = {

        "<YOUR_DOMAIN>": "<GA_TRACKING_ID>",

      };


      const gaId = gaIds[window.location.hostname];


      if (gaId) {

        const src = "https://www.googletagmanager.com/gtag/js?id=";


        const gaScript = document.createElement("script");

        gaScript.src = src.concat(gaId);

        document.body.appendChild(gaScript);


        window.dataLayer = window.dataLayer || [];

        function gtag() {

          dataLayer.push(arguments);

        }

        gtag("js", new Date());

        gtag("config", gaId);

      } else {

        console.warn(

          "Google Analytics ID not found for host:",

          window.location.hostname,

        );

      }

    })();

  </script>

</body>


```

### Cross-origin resource sharing (CORS) preflight requests

Cross-origin resource sharing (CORS) preflight requests, or `OPTIONS`, exclude user credentials that include cookies. As a result, the `cf_clearance` cookie will not be sent with the request, causing it to fail to bypass a Challenge Page (Non-interactive, Managed, or Interactive Challenge).

### Challenges on Cloudflare-protected sites

Cloudflare issues challenges to website visitors to protect against malicious activity, such as bot attacks and DDoS attempts. If a legitimate human visitor is unexpectedly challenged, the reason typically stems from a security feature flagging their request.

| Source                                      | Description                                                                 |
| ------------------------------------------- | --------------------------------------------------------------------------- |
| High threat score                           | IP addresses with a high-risk score trigger Challenges.                     |
| IP reputation                               | If your IP has a history of suspicious activity, it may be flagged.         |
| Bot detection                               | Automated traffic resembling bots is filtered by Cloudflare.                |
| Web Application Firewall (WAF) custom rules | Site owners may set rules targeting specific regions or user agents.        |
| Browser Integrity Check                     | Cloudflare verifies that browsers meet certain standards.                   |
| Challenge Passage                           | Technologies like Privacy Pass reduce the frequency of repeated Challenges. |

To avoid repeated challenges, visitors can take the following steps to ensure their environment does not trigger security checks:

* Ensure your web browser is updated to the latest stable version for full compatibility with modern challenge technologies.
* Temporarily disable browser extensions, such as ad blockers or privacy tools, that may block standard browser headers or the necessary challenge scripts.
* If your IP address has a poor reputation (often seen with shared VPNs or corporate proxies), try switching to a different, trusted network connection.

### Allowlist traffic from mitigation actions

If you need to prevent a **Block** or **Challenge** action from being applied to specific requests, such as known search engine crawlers, monitoring services, or internal APIs, you must configure an exclusion using [WAF custom rules](https://developers.cloudflare.com/waf/custom-rules/).

Cloudflare supports two primary methods for creating these exclusions:

#### 1\. Use a Skip rule (recommended)

The most robust method for creating an exception is to create a custom rule with the **Skip** action. This allows matching requests to bypass certain security features, including Bot Management and other WAF rules.

Note

Due to the evaluation order, **Skip** rules must be positioned before the **Block** or **Challenge** rule they are designed to bypass.

Example

Block Amazon Web Services (AWS) and Google Cloud Platform (GCP) because of large volumes of undesired traffic, but allow Googlebot and other known bots that Cloudflare validates.

* Basic rule, no exclusion:  
   * **Expression**: `(ip.src.asnum in {16509 15169} and not cf.client.bot)`  
   * **Action**: Block (or a challenge action)
* Rule that excludes IP addresses from being blocked or challenged:  
   * **Expression**: `(ip.src.asnum in {16509 15169} and not cf.client.bot) and not (ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24})`  
   * **Action**: Block (or a challenge action)
* Two rules to skip remaining custom rules for specific IPs and block the rest.  
   1. Rule 1:  
         * Expression: `ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24}`  
         * Action: Skip > All remaining custom rules  
   2. Rule 2:  
         * Expression: `(ip.src.asnum in {16509 15169} and not cf.client.bot)`  
         * Action: Block (or a challenge action)

#### 2\. Modify the Rule Expression

You can refine the expression of a **Block** or **Challenge** rule to directly exclude known good traffic by using the logical not operator with an exclusion list, such as an IP list, country code, or ASN.

This approach is useful for simple exclusions but can make complex rules more difficult to maintain than separate **Skip** rules.

Example

Exclude multiple IP addresses from a **Block** or **Challenge** rule that assesses attack score.

* Basic rule, no exclusion:  
   * **Expression**: `(http.host eq "example.com" and cf.waf.score lt 20)`  
   * **Action**: Block (or a challenge action)
* Rule that excludes IP addresses from being blocked/challenged:  
   * **Expression**: `(http.host eq "example.com" and cf.waf.score lt 20) and not (ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24})`  
   * **Action**: Block (or a challenge action)
* Two rules to skip remaining custom rules for specific IPs and block the rest.  
   1. Rule 1:  
         * Expression: `ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24}`  
         * Action: Skip > All remaining custom rules  
   2. Rule 2:  
         * Expression: `(http.host eq "example.com" and cf.waf.score lt 20)`  
         * Action: Block (or a challenge action)

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/troubleshooting/","name":"Troubleshooting"}}]}
```

---

---
title: Challenge solve issues
description: You may encounter a challenge loop where the challenge keeps reappearing without being solved. This is in very specific cases where we detect strong bot signals. If you are a legitimate human, you can follow the troubleshooting guide below to resolve the issue or submit a feedback report. Challenge loops can happen for several reasons:
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/troubleshooting/challenge-solve-issues.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Challenge solve issues

## Challenge loops

You may encounter a challenge loop where the challenge keeps reappearing without being solved. This is in very specific cases where we detect strong bot signals. If you are a legitimate human, you can follow the troubleshooting guide below to resolve the issue or submit a feedback report. Challenge loops can happen for several reasons:

* **Network issues**: Poor or unstable network connections can prevent the challenge from being completed.
* **Browser configuration**: Some browser settings or extensions may block the scripts needed to execute the challenge.
* **Unsupported browsers**: Using a browser that is not supported by Turnstile.
* **JavaScript disabled**: Turnstile relies on JavaScript to function properly.
* **Detection errors**: If Turnstile suspects bot-like behavior, you may encounter repeated challenges for verification.

Most challenges are quick to complete and typically take only a few seconds. If it takes longer, ensure your network is stable and follow the [troubleshooting steps](#troubleshooting).

Note

If the issue persists, try switching to a different network or device to rule out any issues with your browser environment.

Ensure your browser is updated to the latest version to maintain compatibility.

## Troubleshooting

Follow the steps below to ensure that your environment is properly configured.

1. Verify your browser compatibility.  
   * Turnstile supports all major browsers, except Internet Explorer.  
   * Ensure your browser is up to date. For more information, refer to our [Supported browsers](https://developers.cloudflare.com/cloudflare-challenges/reference/supported-browsers/).
2. Disable your browser extensions.  
   * Some browser extensions, such as ad blockers, may block the scripts Turnstile needs to operate.  
   * Temporarily disable all extensions and reload the page.
3. Enable JavaScript.  
   * Turnstile requires JavaScript to run. Ensure it is enabled in your browser settings. Refer to your browser's documentation for instructions on enabling JavaScript.
4. Try Incognito or Private mode.  
   * Use your browser's incognito or private mode to rule out issues caused by extensions or cached data.
5. Test another browser or device.  
   * Switch to a different browser or device to see if the issue is specific to your current setup.
6. Avoid VPNs or proxies.  
   * Some virtual private networks (VPN) or proxies may interfere with Turnstile. Disable them temporarily to test.
7. Switch to a different network.  
   * Your current network may have restrictions causing Turnstile challenges to fail. Try switching to another network, such as a mobile hotspot.

If none of the above resolves your issue, contact the website administrator with the [error code](https://developers.cloudflare.com/turnstile/troubleshooting/client-side-errors/error-codes/) and Ray ID or submit a [feedback report](https://developers.cloudflare.com/turnstile/troubleshooting/feedback-reports/) through the Turnstile widget by selecting **Submit Feedback**.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/troubleshooting/challenge-solve-issues/","name":"Challenge solve issues"}}]}
```

---

---
title: Interstitial Challenge Pages
description: An interstitial Challenge Page (a full-page screen that appears before the visitor reaches the destination URL) acts as a gate between the visitor and your website or application while Cloudflare verifies the authenticity of the visitor.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Interstitial Challenge Pages

An interstitial Challenge Page (a full-page screen that appears before the visitor reaches the destination URL) acts as a gate between the visitor and your website or application while Cloudflare verifies the authenticity of the visitor.

The Challenge Page intercepts the visitor from getting to the destination URL by holding the request and evaluating the browser environment for automated signals, and serving a challenge. The visitor cannot reach their destination without passing the challenge. Based on the signals indicated by their browser environment, the visitor may be asked to perform an interaction such as checking a box or selecting a button for further probing.

You can implement a Challenge Page to your website or application by creating a [WAF custom rule](https://developers.cloudflare.com/waf/custom-rules/).

Challenges are triggered by a rule in the [Web Application Firewall (WAF)](https://developers.cloudflare.com/waf/), [Bot Management](https://developers.cloudflare.com/bots/), or [Rate limiting](https://developers.cloudflare.com/waf/rate-limiting-rules/).

The level of interactivity and visibility of the Challenge Page depends on the Action that you select when creating the WAF rule for your website or application.

## Actions

The following challenge types are the available actions when you create a WAF rule for a Challenge Page.

### Non-Interactive Challenges

With a Non-Interactive Challenge, Cloudflare makes the determination on whether or not the visitor is automated based on the limited information attained from their browser signals via an injected JavaScript. Then, it presents a Challenge Page that requires no interaction from a visitor except the JavaScript processed by their browser.

The visitor must wait until their browser finishes processing the JavaScript, which typically takes less than five seconds.

If the visitor passes the challenge, the original request continues to the destination URL. If the challenge fails or cannot be completed, the visitor is presented with another interstitial Challenge Page.

### Managed Challenges

Managed Challenges are where Cloudflare dynamically chooses the appropriate type of challenge served to the visitor based on the characteristics of a request from the signals indicated by their browser. This helps avoid [CAPTCHAs ↗](https://www.cloudflare.com/learning/bots/how-captchas-work/), which also reduces the lifetimes of human time spent solving CAPTCHAs across the Internet.

Most human visitors are automatically verified and the Challenge Page will display **Successful**. However, if Cloudflare detects non-human attributes from the visitor's browser, they may be required to interact with the challenge to solve it.

Cloudflare recommends Managed Challenges for most WAF rules. Unless there are specific compatibility issues, do not use other challenge types.

Warning

Using Cloudflare Challenges along with Rules features may cause challenge loops. Refer to [Rules troubleshooting](https://developers.cloudflare.com/rules/reference/troubleshooting/) for more information.

### Interactive Challenges

Interactive Challenge Pages require a visitor to interact with the challenge to pass.

Cloudflare always recommends using a Managed Challenge. For more information, refer to the [Cloudflare blog post ↗](https://blog.cloudflare.com/end-cloudflare-captcha/).

## Compatibility limitations

Challenge Pages interrupt the request flow by returning a full HTML page for the user's browser to render and solve. This mechanism fails when the browser expects a non-HTML response, such as an AJAX or XHR (fetch) request.

To ensure your API calls are protected without breaking single-page applications (SPAs) or API integrations, Cloudflare recommends using Turnstile Pre-clearance.

By enabling Pre-clearance, the Turnstile widget issues a persistent clearance cookie (`cf_clearance`) upon successful human verification on an initial HTML page. This cookie pre-clears the visitor to interact with sensitive API endpoints secured by WAF rules, allowing you to deploy granular security without forcing a disruptive Challenge Page response.

For implementation details, refer to the [guidance on Pre-clearance for Turnstile](https://developers.cloudflare.com/cloudflare-challenges/concepts/clearance/#pre-clearance-support-in-turnstile).

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/challenge-types/","name":"Available Challenges"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/challenge-types/challenge-pages/","name":"Interstitial Challenge Pages"}}]}
```

---

---
title: Additional configuration
description: Refer to supported languages for more information.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/additional-configuration.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Additional configuration

## Multi-language support

Refer to [supported languages](https://developers.cloudflare.com/cloudflare-challenges/reference/supported-languages/) for more information.

---

## Favicon customization

Cloudflare Challenges take the favicon of your website using `GET /favicon.ico` and displays it on the Challenge Page.

You can customize your favicon by using the HTML snippet below.

HTML element

```

<link rel="shortcut icon" href="<FAVICON_LINK>" />


```

---

## Custom Content Security Policy (CSP) and error pages

Cloudflare-served Challenge Pages operate in a strictly controlled environment to maximize security and ensure the challenge mechanism functions correctly. Because of this, you cannot set your own Content Security Policy (CSP) or Referer-Policy using `<meta>` tags or Transform Rules on Challenge Pages. Origin headers can be modified within the Challenge Page context and are not immutable, but they may cause issues.

If you have an active Transform Rule configured to modify HTTP response headers globally across your website, such as adding custom CSP headers, this rule will interfere with and cause the Challenge Page to fail.

To prevent this conflict, you must modify your Transform Rule expression to explicitly exclude Challenge Page error types. Prefix your Transform Rule expression with the following logical exclusion:

```

not cf.response.error_type in {"managed_challenge" "iuam" "legacy_challenge" "country_challenge"}


```

This exclusion ensures that your custom header modification logic is only applied to traffic destined for your origin, allowing Cloudflare's Challenge Platform to function without being impacted by conflicting response headers.

---

## Custom Challenge Pages

Before defining a custom Challenge Page in your Cloudflare account, you will need to design and code that page. It can be hosted on your own web server or using a Cloudflare product like [Snippets](https://developers.cloudflare.com/rules/snippets/).

Refer to [Design your custom error page](https://developers.cloudflare.com/rules/custom-errors/edit-error-pages/#1-design-your-custom-error-page) for more information.

### How it works

When a zone has a custom Challenge Page configured, your uploaded HTML is fetched from the Custom Pages Worker (KV-backed).

Cloudflare replaces the `::CF_WIDGET_BOX::` placeholder token with the full challenge bootstrap `<script>` block.

### Placeholder tokens

The custom error token provides diagnostic information or specific functionality that appears on the error page. Refer to [Error tokens](https://developers.cloudflare.com/rules/custom-errors/reference/error-tokens/) for more details.

* `::CF_WIDGET_BOX::`
* `::CAPTCHA_BOX::`
* `::IM_UNDER_ATTACK_BOX::`
* `::CLIENT_IP::`
* `::RAY_ID::`
* `::GEO::`

Note

`::CF_WIDGET_BOX::` is always replaced regardless of challenge type — use this for new templates.

### Requirements

1. `::CF_WIDGET_BOX::` must appear exactly once in the body. This is where the challenge script is injected.
2. `<head>` tag must be present.
3. Cloudflare will set `cTplC: 1` in the browser's `window._cf_chl_opt` when a custom template is in use. Do not add your own `window._cf_chl_opt`. Any existing definition will cause conflicts.
4. Do not block `/cdn-cgi/challenge-platform/` paths via Content Security Policy (CSP). Challenges will not work correctly with this kind of block in place.
5. The page is served for all three challenge types (managed, interactive, non-interactive) if you use `::CF_WIDGET_BOX::`.

### Templates

* [ Minimal template ](#tab-panel-3350)
* [ Full template ](#tab-panel-3351)

Example

```

<!DOCTYPE html>

<html lang="en-US">

<head>

  <title>Example Title</title>

  <meta charset="UTF-8">

  <meta name="viewport" content="width=device-width,initial-scale=1">

</head>

<body>

  ::CF_WIDGET_BOX::

</body>

</html>


```

Example

```

<!DOCTYPE html>

<html lang="en-US">

<head>

  <title>Security Check — example.com</title>

  <meta charset="UTF-8">

  <meta http-equiv="X-UA-Compatible" content="IE=Edge">

  <meta name="robots" content="noindex,nofollow">

  <meta name="viewport" content="width=device-width,initial-scale=1">

  <style>

    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }

    body {

      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;

      background: #f8f9fa;

      color: #1a1a2e;

      min-height: 100vh;

      display: flex;

      flex-direction: column;

      align-items: center;

      justify-content: center;

      padding: 1rem;

    }

    .card {

      background: #ffffff;

      border-radius: 12px;

      box-shadow: 0 4px 24px rgba(0,0,0,0.08);

      padding: 2.5rem 3rem;

      max-width: 520px;

      width: 100%;

      text-align: center;

    }

    .logo {

      width: 64px;

      height: 64px;

      margin: 0 auto 1.5rem;

    }

    h1 {

      font-size: 1.4rem;

      font-weight: 600;

      margin-bottom: 0.5rem;

    }

    .subtitle {

      font-size: 0.95rem;

      color: #666;

      margin-bottom: 2rem;

      line-height: 1.5;

    }

    /* The challenge widget will be injected here — give it space */

    .challenge-widget {

      margin: 1.5rem 0;

      min-height: 65px;        /* Turnstile widget is ~65px tall */

      display: flex;

      align-items: center;

      justify-content: center;

    }

    .meta {

      margin-top: 2rem;

      font-size: 0.75rem;

      color: #aaa;

      line-height: 1.6;

    }

    noscript .noscript-warning {

      background: #fff3cd;

      border: 1px solid #ffc107;

      border-radius: 8px;

      padding: 1rem;

      font-size: 0.9rem;

      color: #856404;

      margin-bottom: 1rem;

    }

  </style>

</head>

<body>

  <div class="card">

    <!-- Your logo / branding -->

    <svg class="logo" viewBox="0 0 64 64" fill="none" xmlns="http://www.w3.org/2000/svg">

      <circle cx="32" cy="32" r="32" fill="#E8F4FD"/>

      <path d="M32 16a16 16 0 1 1 0 32A16 16 0 0 1 32 16zm0 4a12 12 0 1 0 0 24A12 12 0 0 0 32 20z"

            fill="#0051C3"/>

      <circle cx="32" cy="32" r="4" fill="#0051C3"/>

    </svg>

    <h1>Verifying you are human</h1>

    <p class="subtitle">

      This security check helps us protect example.com from automated traffic.

      It will only take a moment.

    </p>

    <noscript>

      <div class="noscript-warning">

        Please enable JavaScript and cookies to continue.

      </div>

    </noscript>

    <!--

      REQUIRED: One of the following placeholders must appear exactly once.

      FL2 will replace it with the Cloudflare challenge bootstrap <script>.

      Use ::CF_WIDGET_BOX:: for all challenge types (recommended).

      Older alternatives:

        ::CAPTCHA_BOX::          — managed / interactive challenges

        ::IM_UNDER_ATTACK_BOX:: — non-interactive / JS challenge

    -->

    <div class="challenge-widget">

      ::CF_WIDGET_BOX::

    </div>

    <div class="meta">

      Performance & security by your company<br>

      Ray ID: <code>::RAY_ID::</code> •

      Your IP: <code>::CLIENT_IP::</code> •

      Country: <code>::GEO::</code>

    </div>

  </div>

</body>

</html>


```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/challenge-types/","name":"Available Challenges"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/challenge-types/challenge-pages/","name":"Interstitial Challenge Pages"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-challenges/challenge-types/challenge-pages/additional-configuration/","name":"Additional configuration"}}]}
```

---

---
title: Challenge Passage
description: When a visitor solves a Cloudflare Challenge - as part of a WAF custom rule or IP Access rule - you can set the Challenge Passage to prevent them from having to solve future Challenges for a specified period of time.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Challenge Passage

When a visitor solves a [Cloudflare Challenge](https://developers.cloudflare.com/cloudflare-challenges/) \- as part of a [WAF custom rule](https://developers.cloudflare.com/waf/custom-rules/) or [IP Access rule](https://developers.cloudflare.com/waf/tools/ip-access-rules/) \- you can set the **Challenge Passage** to prevent them from having to solve future Challenges for a specified period of time.

### How it works

When a visitor successfully solves a challenge, Cloudflare sets a [cf\_clearance cookie](https://developers.cloudflare.com/fundamentals/reference/policies-compliances/cloudflare-cookies/#additional-cookies-used-by-the-challenge-platform) in their browser. This cookie specifies the duration your website is accessible to that visitor.

When that visitor tries to access other parts of your website, Cloudflare evaluates the cookie before presenting another challenge. If the cookie is still valid, no challenges will be shown.

When Cloudflare evaluates a `cf_clearance` cookie, a few extra minutes are included to account for clock skew. For XmlHTTP requests, an extra hour is added to the validation time to prevent breaking XmlHTTP requests for pages that set short lifetimes.

### Customize the Challenge Passage

By default, the `cf_clearance` cookie has a lifetime of 30 minutes. Cloudflare recommends a setting between 15 and 45 minutes.

To update the Challenge Passage (and the value of the `cf_clearance` cookie):

1. In the Cloudflare dashboard, go to the **Security Settings** page.  
[ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings)
2. Go to **Challenge passage**.
3. Select the edit icon to set a timeout duration.

### Limitations

The Challenge Passage does not apply to rate limiting rules.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/challenge-types/","name":"Available Challenges"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/challenge-types/challenge-pages/","name":"Interstitial Challenge Pages"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage/","name":"Challenge Passage"}}]}
```

---

---
title: Implement a Challenge Page via WAF custom rules
description: You can implement a Challenge Page to your website or application by creating a WAF custom rule.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/create-custom-rule.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Implement a Challenge Page via WAF custom rules

You can implement a Challenge Page to your website or application by creating a [WAF custom rule](https://developers.cloudflare.com/waf/custom-rules/).

Challenges are triggered by a rule in the [Web Application Firewall (WAF)](https://developers.cloudflare.com/waf/), [Bot Management](https://developers.cloudflare.com/bots/), or [Rate limiting](https://developers.cloudflare.com/waf/rate-limiting-rules/).

* **Bot Management**: You can set the custom rule to challenge a visitor based on the [bot score](https://developers.cloudflare.com/bots/concepts/bot-score/) or [detection ID](https://developers.cloudflare.com/bots/additional-configurations/detection-ids/).
* **Rate limiting**: You can challenge visitors based on your defined rate limits.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/challenge-types/","name":"Available Challenges"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/challenge-types/challenge-pages/","name":"Interstitial Challenge Pages"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-challenges/challenge-types/challenge-pages/create-custom-rule/","name":"Implement a Challenge Page via WAF custom rules"}}]}
```

---

---
title: Detect a Challenge Page response
description: When a request encounters a Cloudflare Challenge Page instead of the originally anticipated response, the Challenge Page response (regardless of the Challenge Page type) will have the cf-mitigated header present and set to challenge. This header can be leveraged to detect if a response was challenged when making fetch/XHR requests. This header provides a reliable way to identify whether a response is a Challenge or not, enabling a web application to take appropriate action based on the result. For example, a front-end application encountering a response from the backend may check the presence of this header value to handle cases where Challenge Pages encountered unexpectedly.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/detect-response.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Detect a Challenge Page response

When a request encounters a Cloudflare Challenge Page instead of the originally anticipated response, the Challenge Page response (regardless of the Challenge Page type) will have the `cf-mitigated` header present and set to `challenge`. This header can be leveraged to detect if a response was challenged when making fetch/XHR requests. This header provides a reliable way to identify whether a response is a Challenge or not, enabling a web application to take appropriate action based on the result. For example, a front-end application encountering a response from the backend may check the presence of this header value to handle cases where Challenge Pages encountered unexpectedly.

Note

Regardless of the requested resource-type, the content-type of a challenge will be `text/html`.

For the `cf-mitigated` header, `challenge` is the only valid value. The header is set for all Challenge Page types.

To illustrate, here is a JavaScript code snippet that demonstrates how to use the `cf-mitigated` header to detect whether a response was challenged:

JavaScript

```

fetch("/my-api-endpoint").then((response) => {

  if (response.headers.get("cf-mitigated") === "challenge") {

    // Handle challenged response

  } else {

    // Process response as usual

  }

});


```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/challenge-types/","name":"Available Challenges"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/challenge-types/challenge-pages/","name":"Interstitial Challenge Pages"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-challenges/challenge-types/challenge-pages/detect-response/","name":"Detect a Challenge Page response"}}]}
```

---

---
title: Resolve a Challenge
description: If a visitor encounters a Challenge, Cloudflare employees cannot remove that Challenge. Only the website owner can configure their Cloudflare settings to stop the Challenge being presented.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages/resolve-challenge.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Resolve a Challenge

If a visitor encounters a Challenge, Cloudflare employees cannot remove that Challenge. Only the website owner can configure their Cloudflare settings to stop the Challenge being presented.

When observing a Cloudflare Challenge page, a visitor could:

* Successfully pass the Challenge to visit the website.
* Request the website owner to allow their IP address.
* Scan their computer for malicious programs (it may be infected).
* Check their antivirus or firewall service to make sure it is not blocking access to the Challenge resources (for example, images).

Note

Visitors must enable JavaScript and cookies on their browser to be able to pass any type of Challenge.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/challenge-types/","name":"Available Challenges"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/challenge-types/challenge-pages/","name":"Interstitial Challenge Pages"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-challenges/challenge-types/challenge-pages/resolve-challenge/","name":"Resolve a Challenge"}}]}
```

---

---
title: JavaScript Detections
description: JavaScript Detections is a type of challenge separate from Cloudflare’s Challenge Pages or Turnstile. Javascript Detections helps Cloudflare's bot solutions identify automated requests.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/challenge-types/javascript-detections.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# JavaScript Detections

JavaScript Detections is a type of challenge separate from Cloudflare’s Challenge Pages or Turnstile. Javascript Detections helps Cloudflare's [bot solutions](https://developers.cloudflare.com/bots/) identify automated requests.

While Challenge Pages and Turnstile rely on client-side signals to determine the authenticity of a request, Bot Management’s JavaScript Detections relies on client-side signals and run on every single request made to your website.

## Process

JavaScript Detections is implemented on your website via a lightweight, invisible JavaScript code snippet that follows Cloudflare's [privacy standards ↗](https://www.cloudflare.com/privacypolicy/).

JavaScript is injected only in response to requests for HTML pages or page views, excluding AJAX calls. API and mobile application traffic is unaffected.

JavaScript Detections has a lifespan of 15 minutes. However, the code is injected again before the session expires. After page load, the script is deferred and utilizes a separate thread (where available) to ensure that performance impact is minimal. The snippets of JavaScript will contain a source pointing to the Challenge Platform, with paths that start with `/cdn-cgi/challenge-platform/…`

Once JavaScript Detections is injected on the HTML page, the visitor's browser will run the JavaScript code snippet and a `cf_clearance` cookie is issued to the visitor. The information in JavaScript Detections is stored in the `cf_clearance` cookie and is used to populate `js_detection.passed`.

* If the visitor is verified and a `cf_clearance` cookie is issued, it will contain the outcome: `cf.bot_management.js_detection.passed` \= `true`
* If the verification fails, the cookie will contain the outcome: `cf.bot_management.js_detection.passed` \= `false`

Note

The `cf_clearance` cookie cannot exceed the maximum size of 4096 bytes.

Warning

Enforcement against bots does **not** occur even if the cookie is flagged false.

You must enable JavaScript Detections and then create a custom WAF rule using the `cf.bot_management.js_detection.passed` field to block or challenge a failed request.

When the visitor encounters a WAF custom rule on your website, the rule will check the outcome of the `cf_clearance` cookie. The outcome of the `cf_clearance` cookie determines whether the request passes, or is blocked or challenged.

Refer to the steps below to enable and enforce JavaScript Detections.

## 1\. Enable JavaScript Detections

For Bot Fight Mode customers, [JavaScript Detections](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/javascript-detections/) is automatically enabled and cannot be disabled.

For Super Bot Fight Mode and Bot Management for Enterprise customers, [JavaScript Detections](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/javascript-detections/) is optional.

* [  New dashboard ](#tab-panel-3354)
* [ Old dashboard ](#tab-panel-3355)

1. In the Cloudflare dashboard, go to the **Security Settings** page.  
[ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings)
2. Under your bot traffic plan configurations, select the edit icon for **JS detections** and turn **JavaScript Detections** on.

1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** \> **Bots**.
3. Select **Configure Bot Management**.
4. For **JavaScript Detections**, switch the toggle to **On**.

For more details on how to set up bot protection, refer to the [Bots documentation](https://developers.cloudflare.com/bots/get-started/).

## 2\. Enforce execution of JavaScript Detections

Once you enable JavaScript detections, you must use the `cf.bot_management.js_detection.passed` field to create [WAF custom rules](https://developers.cloudflare.com/waf/custom-rules/) (or the `request.cf.botManagement.jsDetection.passed` variable in [Workers](https://developers.cloudflare.com/workers/)).

When adding this field to WAF custom rules, it is used on endpoints expecting browser traffic (avoiding native mobile applications or websocket endpoints), after a user's first request to your application (Cloudflare needs at least one HTML request before injecting JavaScript detection), and with the Managed Challenge action, because there are legitimate reasons a user might not have passed a JavaScript Detection challenge (network issues, ad blockers, disabled JavaScript in browser, native mobile applications).

### Prerequisites

* You must have an [Enterprise Bot Management](https://developers.cloudflare.com/bots/plans/bm-subscription/) subscription.
* You must have JavaScript Detections enabled on your zone.
* You must have [updated your Content Security Policy headers](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/javascript-detections/#if-you-have-a-content-security-policy-csp) for JavaScript detections.
* You must not run this field on websocket endpoints.
* You must use the field in a custom rules expression that expects only browser traffic.
* The action should always be a managed challenge in case a legitimate user has not received the challenge for network or browser reasons.
* The path specified in the rule builder should never be the first HTML page a user visits when browsing your site.

The `cf.bot_management.js_detection.passed` field should never be used in a WAF custom rule that matches a visitor's first request to a site. It is necessary to have at least one HTML request before Cloudflare can inject JavaScript detection.

* [ WAF rule example ](#tab-panel-3352)
* [ Workers example ](#tab-panel-3353)

```

(http.request.uri.path eq "/api/v4/user/create" and http.request.method eq "POST" and not cf.bot_management.verified_bot)

and (cf.bot_management.score lt 30 or !cf.bot_management.js_detection.passed)


```

JavaScript

```

"botManagement": {

"jsDetection": {

    "passed": false

}

}


```

Refer to the [WAF documentation](https://developers.cloudflare.com/waf/custom-rules/create-dashboard/) for more information on creating a custom rule.

## API

If you enable JavaScript Detections via the dashboard, Cloudflare will insert a script tag in all HTML pages served on your website. If you would prefer to limit where JavaScript Detections is served, you can do so with the JavaScript Detections API script.

The JavaScript Detections API allows you more granular control over when and where JavaScript Detections is injected on your website, as well as an option for callback handling (for logging or other additional actions).

You can explicitly add a script reference to `/cdn-cgi/challenge-platform/scripts/jsd/api.js` and your own code calling `window.cloudflare.jsd.executeOnce` on specific HTML pages of your website.

Warning

It is not recommended to combine both approaches (zone-wide toggle and the manual injection). If you want to selectively deploy JavaScript Detections only on certain pages, disable JavaScript Detections via the Cloudflare dashboard and use the JavaScript Detections API exclusively.

The following script must be added to every page that you wish to have JavaScript Detections enabled:

JavaScript

```

<script>


function jsdOnload(){

  window.cloudflare.jsd.executeOnce(

    {

      callback: function(result){

        console.log('jsd outcome', result);

    }

  );

}

</script>

<script src="/cdn-cgi/challenge-platform/scripts/jsd/api.js?onload=jsdOnload" async>


```

Note

`result` \= `success` or `error` only refers to the execution of JavaScript Detections. It does not indicate whether a visitor is a human or a bot.

## Considerations

JavaScript Detections does not guarantee a specific bot score.

* If the JavaScript Detections injection or execution fails and `cf.bot_management.js_detection.passed` \= `false`, a separate Bot Management heuristic can still yield a `1` or higher bot score, independent of JavaScript Detections.
* If the JavaScript Detections passes, the final bot score may still be `1` due to other detection heuristics (for example, known malicious IP, signature detection, and more), resulting in `js_detection.passed` \= `true`, but `score` \= `1`.

## Limitations

### If you enabled Bot Management before June 2020

Customers who enabled Enterprise Bot Management before June 2020 do not have JavaScript Detections enabled by default (unless specifically requested). These customers can still enable the feature in the Cloudflare dashboard.

### If it is the first request to your website

The first request from a new client to your website or application will generally not have JavaScript Detections data (`cf.bot_management.js_detection.passed` \= `false`). This is because Cloudflare needs at least one HTML request before injecting JavaScript Detection and issuing the `cf_clearance` cookie.

Subsequent requests can include a `cf_clearance` cookie if JavaScript ran successfully.

### If you have a Content Security Policy (CSP)

If you have a Content Security Policy (CSP), you need to take additional steps to implement JavaScript Detections:

* Ensure that anything under `/cdn-cgi/challenge-platform/` is allowed. Your CSP should allow scripts served from your origin domain (`script-src self`).
* For `nonce` script tags:  
   * If your CSP uses a `nonce` for script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header.  
   * If your CSP does not use `nonce` for script tags and **JavaScript Detections** is enabled, you may see a console error such as `Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-b123b8a70+4jEj+d6gWI9U6IilUJIrlnRJbRR/uQl2Jc='), or a nonce ('nonce-...') is required to enable inline execution.` We highly discourage the use of `unsafe-inline` and instead recommend the use CSP `nonces` in script tags which we parse and support in our CDN.

Warning

JavaScript Detections is not supported with `nonce` set via `<meta>` tags.

### If you have ETags

Enabling JavaScript Detections (JSD) will strip [ETags](https://developers.cloudflare.com/cache/reference/etag-headers/) from HTML responses where JSD is injected.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/challenge-types/","name":"Available Challenges"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/challenge-types/javascript-detections/","name":"JavaScript Detections"}}]}
```

---

---
title: Turnstile
description: Turnstile is Cloudflare's CAPTCHA-alternative solution. You can embed Turnstile as a widget on your website or application, where it runs a client-side challenge directly in the background of the visitor's browser.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/challenge-types/turnstile.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Turnstile

[Turnstile](https://developers.cloudflare.com/turnstile/) is Cloudflare's CAPTCHA-alternative solution. You can embed Turnstile as a widget on your website or application, where it runs a client-side challenge directly in the background of the visitor's browser.

Turnstile differs from Challenges Pages in that the challenge does not pause the request or interrupt the user's experience. Since the widget is embedded onto the webpage and only runs on a specific part of the HTML, the visitor will have already arrived at the destination URL and is viewing the page when they encounter a Turnstile widget. Instead of blocking the visitor from accessing the entire website, the Turnstile widget prevents the visitor from certain actions such as completing login or sign up forms, and more, until the widget is solved.

In most cases, nothing further is required from the visitor. However, if necessary, Turnstile may display a simple checkbox that the visitor must click to proceed.

After the challenge passes, Turnstile issues a clearance token to the visitor that must be validated via the [Siteverify API](https://developers.cloudflare.com/turnstile/get-started/server-side-validation/) before completing a sensitive action like login, sign up, or other form submissions.

Warning

It is critical to enforce Turnstile tokens with the Siteverify API. The Turnstile token could be invalid, expired, or already redeemed. Not verifying the token will leave major vulnerabilities in your implementation.

You **must** call Siteverify to complete your Turnstile configuration. Otherwise, it is incomplete and will result in zeroes for token validation when viewing your metrics in [Turnstile Analytics](https://developers.cloudflare.com/turnstile/turnstile-analytics/).

## Widget types

While there are three types of widgets that you can choose to implement on your website or application, the challenge logic behind them remains the same.

* **Managed (recommended)**: Functions similar to a Managed Challenge Page. It selects a challenge based on the signals gathered from the visitor's browser and presents an interaction only if it detects potentially automated traffic.
* **Non-Interactive**: The widget is displayed, but the visitor does not need to interact with it to verify their identity.
* **Invisible**: The widget is completely invisible to the visitor, but the challenge still runs in the background.  
Link to Cloudflare's Turnstile Privacy Policy  
As a condition of enabling invisible mode, you must reference Cloudflare's [Turnstile Privacy Addendum ↗](https://www.cloudflare.com/turnstile-privacy-policy/) in your own privacy policy.

## Implementation

When you create a widget for your website or application via the Cloudflare dashboard, you will receive a sitekey.

The sitekey is used with [client-side rendering](https://developers.cloudflare.com/turnstile/get-started/client-side-rendering/#implicitly-render-the-turnstile-widget) by adding it to the `<div>` container placeholder. You will then place that `<div>` code snippet where you want to add the widget to your site page or form.

## Get started

Refer to the [Turnstile documentation](https://developers.cloudflare.com/turnstile/get-started/) for guidance on implementing a widget to your website or application.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/challenge-types/","name":"Available Challenges"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/challenge-types/turnstile/","name":"Turnstile"}}]}
```

---

---
title: Clearance
description: A cf_clearance cookie proves to Cloudflare that the visitor is a verified human and has passed the challenge presented to them.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/concepts/clearance.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Clearance

## `cf_clearance` cookies

A `cf_clearance` cookie proves to Cloudflare that the visitor is a verified human and has passed the challenge presented to them.

The `cf_clearance` cookie is securely tied to the specific visitor and device it was issued to. This binding is a security feature designed to prevent the cookie from being easily transferred and re-used on other machines.

As an additional layer of security, Cloudflare recommends that customers [add a rate limiting rule](https://developers.cloudflare.com/waf/rate-limiting-rules/) based on the `cf_clearance` cookie value. This ensures that a single, valid cookie cannot be abused by a single machine to send an excessive volume of requests.

Each challenge type sets a clearance level. A higher-level cookie bypasses all challenge types at or below that level. A lower-level cookie only bypasses challenges at the same level.

| Clearance level       | Bypasses                                             |
| --------------------- | ---------------------------------------------------- |
| Interactive (high)    | Interactive, Managed, and Non-Interactive Challenges |
| Managed (medium)      | Managed and Non-Interactive Challenges               |
| Non-Interactive (low) | Non-Interactive Challenges only                      |

If a visitor passes an Interactive Challenge (highest security level), then the `cf_clearance` cookie indicates this to the origin and allows the visitor to bypass any other Challenge on the website, whether it is a Non-Interactive Challenge, a Managed Challenge, or another Interactive Challenge for as long as the cookie is valid.

If a visitor receives a `cf_clearance` cookie on a page that uses a WAF rule with Managed or Non-Interactive Challenge (lower security levels), then encountering a different page with a higher security clearance level Challenge will prompt them to solve the challenge again.

The original `cf_clearance` cookie that was issued to the visitor from a lower security clearance level challenge will be replaced with the new `cf_clearance` cookie from a higher security clearance level challenge.

## Pre-clearance support in Turnstile

Pre-clearance in [Turnstile](https://developers.cloudflare.com/turnstile/) allows websites to streamline user experiences by using `cf_clearance` cookies. The `cf_clearance` cookie enables visitors to bypass WAF Challenges downstream, based on the security clearance level set by the customer. This can be particularly useful for trusted visitors, enhancing usability while maintaining security.

By default, Turnstile issues a one-time use token to the visitor when they solve a challenge via the widget. You must [validate the token](https://developers.cloudflare.com/turnstile/get-started/server-side-validation/) by making a server-side call to the Siteverify API.

Warning

It is critical to enforce Turnstile tokens with the Siteverify API. The Turnstile token could be invalid, expired, or already redeemed. Not verifying the token will leave major vulnerabilities in your implementation.

You **must** call Siteverify to complete your Turnstile configuration. Otherwise, it is incomplete and will result in zeroes for token validation when viewing your metrics in [Turnstile Analytics](https://developers.cloudflare.com/turnstile/turnstile-analytics/).

Note

The clearance token cannot be used again.

| Challenge type   | Issued clearance                                         |
| ---------------- | -------------------------------------------------------- |
| Challenge Page   | cf\_clearance cookie (default)                           |
| Turnstile widget | Token (default) cf\_clearance cookie (optional addition) |

When you enable pre-clearance support on Turnstile, a `cf_clearance` cookie is issued to the visitor in addition to the default Turnstile token.

You can integrate Cloudflare Challenges by allowing Turnstile to issue a `cf_clearance` cookie as pre-clearance to your visitor. The pre-clearance level is set upon widget creation or widget modification using the Turnstile API's clearance\_level. Possible values for the configuration are:

* `interactive`
* `managed`
* `jschallenge`
* `no_clearance`

All widgets have pre-clearance mode set to `false` and the security clearance is set to `no_clearance` by default.

For Enterprise customers eligible to enable widgets without any pre-configured hostnames, Cloudflare recommends issuing pre-clearance cookies on widgets where at least one hostname is specified and is the same as the zone that you want to integrate with Turnstile.

Refer to the [blog post ↗](https://blog.cloudflare.com/integrating-turnstile-with-the-cloudflare-waf-to-challenge-fetch-requests) for more details on how pre-clearance works with WAF.

### Pre-clearance level options

**Interactive** (High) `interactive`

Allows a user with a clearance cookie to not be challenged by Non-Interactive Challenge, Managed Challenge, or Interactive Challenge Firewall Rules.

**Managed** (Medium) `managed`

Allows a user with a clearance cookie to not be challenged by Non-Interactive Challenge or Managed Challenge Firewall Rules.

**Non-interactive** (Low) `jschallenge`

Allows a user with a clearance cookie to not be challenged by Non-Interactive Challenge Firewall Rules.

### Clearance cookie duration

Clearance cookies generated by the Turnstile widget will be valid for the time specified by the zone-level Challenge Passage value. To configure the Challenge Passage setting, refer to [Challenge Passage](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage/).

### Setup

To enable pre-clearance, you must ensure that the hostname of the Turnstile widget matches the zone with the WAF rules. During the Turnstile configuration setup in the Cloudflare dashboard, you have access to a list of registered zones. Select the appropriate hostname from this list.

The prerequisite is crucial for pre-clearance to function properly. If set up correctly, visitors who successfully solve Turnstile will receive a cookie with the security clearance level set by the customer. When encountering a WAF challenge on the same zone, they will bypass additional challenges for the configured clearance level and below.

For more details on managing hostnames, refer to the [Hostname Management documentation](https://developers.cloudflare.com/turnstile/additional-configuration/hostname-management/).

Note

[JavaScript detections](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/) are stored in the `cf_clearance` cookie.

The `cf_clearance` cookie cannot exceed the maximum size of 4096 bytes.

#### Enable pre-clearance on a new site

1. In the Cloudflare dashboard, go to the **Turnstile** page.  
[ Go to **Turnstile** ](https://dash.cloudflare.com/?to=/:account/turnstile)
2. Select **Add widget**.
3. Under **Would you like to opt for pre-clearance for this site?** select **Yes**.
4. Choose the pre-clearance level from the select box.
5. Select **Create**.

#### Enable pre-clearance on an existing site

1. In the Cloudflare dashboard, go to the **Turnstile** page.  
[ Go to **Turnstile** ](https://dash.cloudflare.com/?to=/:account/turnstile)
2. Go to the existing widget or site and select **Settings**.
3. Under **Would you like to opt for pre-clearance for this site?** select **Yes**.
4. Choose the pre-clearance level from the select box.
5. Select **Update**.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/concepts/","name":"Concepts"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/concepts/clearance/","name":"Clearance"}}]}
```

---

---
title: How Challenges work
description: Challenges can be issued in three primary ways depending on which Cloudflare products or features are in use. Each method is designed to balance security with seamless visitor experience.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/concepts/how-challenges-work.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# How Challenges work

Challenges can be issued in three primary ways depending on which Cloudflare products or features are in use. Each method is designed to balance security with seamless visitor experience.

| Product                                                                                                                                                                                                                                                                                 | Challenge type(s)                                                                                                               |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
| [WAF](https://developers.cloudflare.com/waf/) ([custom rules](https://developers.cloudflare.com/waf/custom-rules/), [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/), [IP access rules](https://developers.cloudflare.com/waf/tools/ip-access-rules/)) | [Interstitial Challenge Page](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/challenge-pages/)         |
| [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/)                                                                                                                                                                                                    | [JavaScript Detections](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/)                |
| [Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/), [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/)                                                                                                  | [Interstitial Challenge Page](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/challenge-pages/)         |
| [Turnstile](https://developers.cloudflare.com/turnstile/)                                                                                                                                                                                                                               | Embedded widget                                                                                                                 |
| [HTTP DDoS attack protection](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/)                                                                                                                                                                                 | Any Challenge                                                                                                                   |
| [Under Attack Mode](https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/)                                                                                                                                                                                        | [Managed Challenge](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge) |

Challenge Pages and Turnstile rely on the same underlying mechanism to issue challenges to your website or application's visitors.

JavaScript Detections is an optional feature within [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/). When enabled, Cloudflare injects a JavaScript snippet into HTML responses to gather client-side signals. Unlike Challenge Pages, JavaScript Detections runs on every HTML request without pausing or interrupting the visitor. It populates a pass/fail result (`cf.bot_management.js_detection.passed`) that you can then act on using a [WAF custom rule](https://developers.cloudflare.com/waf/custom-rules/).

---

## Available challenges

Refer to the following pages for more information on the different challenge types:

* [Interstitial Challenge Pages](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/challenge-pages/)
* [Turnstile](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/turnstile/)
* [JavaScript Detections](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/javascript-detections/)

---

## Limitations

Cloudflare Challenges cannot support the following:

* [Browser extensions](https://developers.cloudflare.com/cloudflare-challenges/reference/supported-browsers/#browser-extensions) that modify the browser's `User-Agent` value or Web APIs such as `Canvas` and `WebGL`.
* Implementations where a domain serves a challenge page originally requested for another domain.
* Challenge Pages cannot be embedded in cross-origin iframes.
* Client software where the solve request of a Managed Challenge comes from a different IP than the original IP a Challenge request was issued to. For example, if you receive the Challenge from one IP and solve it using another IP, the solve is not valid and you may encounter a Challenge loop.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/concepts/","name":"Concepts"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/concepts/how-challenges-work/","name":"How Challenges work"}}]}
```

---

---
title: Challenge solve rate (CSR)
description: The Challenge solve rate (CSR) is the percentage of issued challenges — Non-Interactive Challenge, Managed Challenge, or Interactive Challenge actions — that were solved.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/reference/challenge-solve-rate.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Challenge solve rate (CSR)

The Challenge solve rate (CSR) is the percentage of issued challenges — Non-Interactive Challenge, Managed Challenge, or Interactive Challenge actions — that were solved.

Every challenge involves two separate events:

* **Challenge trigger**: The original request matches a WAF rule with a challenge action. Cloudflare issues a challenge to the visitor's browser.
* **Challenge solved**: The visitor's browser completes the challenge and sends back a validated response. This event is logged as challenge Solved.

Most automated traffic abandons immediately upon encountering the challenge script and never reaches the second event. This is why the count of unsolved challenges is typically very large — those abandonments count as failures in the formula.

```

CSR = number of challenges solved / number of challenges issued


```

CSR indicates the false positive percentage of a rule. A high CSR means a large share of issued challenges were solved by real visitors, which may indicate the rule is matching too much legitimate traffic. Use CSR to evaluate whether your rule's criteria or action needs adjustment.

You can find the CSR of a rule by going to its corresponding dashboard page:

* [  New dashboard ](#tab-panel-3356)
* [ Old dashboard ](#tab-panel-3357)

For [custom rules](https://developers.cloudflare.com/waf/custom-rules/) or [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/), go to your zone > **Security** \> **Security rules**.

* For [custom rules](https://developers.cloudflare.com/waf/custom-rules/), go to your zone > **Security** \> **WAF** \> **Custom rules**.
* For [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/), go to your zone > **Security** \> **WAF** \> **Rate limiting rules**.

---

## Challenge actions in Security Events

If you find a Challenge Solved action, such as `[js]challengeSolved` or `challengeSolved`, in your Security Events that does not match the underlying rule criteria, it is because this action refers to the successful mitigation of a previous request — not a re-match of the original rule.

The parameters of the solved request may no longer match the original rule's expression. For example, if a challenge was issued due to a low bot score, the score for the solved request may have already changed to a non-suspicious value upon successful verification.

The Challenge Solved action is an informative signal that a previously issued challenge was answered, allowing the visitor's traffic to proceed.

---

## Failed Challenges

You will not find a dedicated metric for failed challenges in Security Analytics because Cloudflare calculates failure indirectly, based on the difference between challenges issued and challenges solved.

The system views any issued challenge that does not result in a successful clearance cookie as a failure. This is why the number of failed challenges may appear exceptionally high: the majority of issued challenges are never completed.

The official calculation for failures is:

```

Failed Challenges = Total Challenges Issued − Total Challenges Solved


```

The large number of unmatched challenges is primarily due to automated traffic (bots or scrapers) that abandon the process immediately upon encountering the initial challenge script.

Key reasons a challenge may be issued but never solved:

* The visitor gives up on the challenge or navigates away from the page.
* The visitor attempts to solve the challenge but cannot provide a valid answer.
* The system receives an invalid or malformed answer from the client.
* The script environment (often a bot's controlled browser) fails to run the necessary client-side checks.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/reference/challenge-solve-rate/","name":"Challenge solve rate (CSR)"}}]}
```

---

---
title: Private Access Tokens (PAT)
description: When a visitor is presented with a Challenge Page, Cloudflare evaluates various signals - including the presence of a Private Access Token (PAT) - to decide which challenges to issue. If a visitor presents a valid token, certain challenges are not issued, which reduces the number of steps required to pass.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/reference/private-access-tokens.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Private Access Tokens (PAT)

When a visitor is presented with a Challenge Page, Cloudflare evaluates various signals - including the presence of a Private Access Token (PAT) - to decide which challenges to issue. If a visitor presents a valid token, certain challenges are not issued, which reduces the number of steps required to pass.

A PAT does not automatically solve a challenge or let a visitor bypass the Challenge Page. The visitor still encounters the Challenge Page regardless of whether they have a valid PAT.

While some challenges require interactivity, most challenges served are invisible to the visitor.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/reference/private-access-tokens/","name":"Private Access Tokens (PAT)"}}]}
```

---

---
title: Supported browsers
description: Cloudflare can challenge your visitors in various ways. They can be challenged by Challenge Pages, Turnstile, or by JavaScript Detections (JSD) in Bot Management. This document lays out the supported browsers across all of these challenge methods. When your website or application presents a challenge, your visitors receive either a Non-interactive or an Interactive Challenge.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/reference/supported-browsers.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Supported browsers

Cloudflare can challenge your visitors in various ways. They can be challenged by [Challenge Pages](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/challenge-pages/), [Turnstile](https://developers.cloudflare.com/turnstile/), or by [JavaScript Detections (JSD) in Bot Management](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/javascript-detections/). This document lays out the supported browsers across all of these challenge methods. When your website or application presents a challenge, your visitors receive either a Non-interactive or an Interactive Challenge.

Cloudflare is committed to ensuring our challenges work with as many browsers as possible, but there are limitations that you should be aware of.

## Overview

Cloudflare Challenges are designed to be compatible with any desktop and mobile browser. If your visitors are using an up-to-date version of a browser listed below, they will receive and be able to solve challenges without any issues. The following is a non-exclusive list of browsers supported by Cloudflare Challenges. Browsers not listed on this list are supported on a best-effort basis.

### Supported browsers

The following browsers are officially supported and tested.

Google Chrome (desktop and mobile)

* Current version and two previous major versions
* Chromium-based browsers and Chromium-based browsers that track the current Chrome stable version

Warning

Beta, Dev, Canary, Nightly, or other unreleased builds are not officially supported.

Mozilla Firefox

* Current version and two previous major versions
* Extended Support Release (ESR) versions are supported

Safari

* Current version and two previous major versions
* iOS Safari on current iOS version and two previous major versions

Microsoft Edge

* Current version and two previous major versions

Samsung Internet Browser

* Current version and two previous major versions

### Limited browser support

The following browsers and environments have limited support and may experience occasional issues.

* Internet Explorer is no longer supported.
* Browsers or operating systems that are more than five years old or have not received security updates in over two years.
* Custom or heavily modified browser engines, webviews, or embedded browsers.

Note

If your visitors encounter issues using these browsers, we recommend upgrading to a more current browser for the best experience.

### Unsupported browsers

The following environments are not supported.

* Command-line tools such as `wget`, `curl`, or others that lack JavaScript execution capabilities required for Cloudflare Challenges.
* Headless browsers like headless Chrome, headless Firefox, PhantomJS, or others. Challenges are specifically designed to identify and block headless browser traffic. Automation tools and scripts that use headless browsers are not supported.
* Browser automation frameworks such as Selenium, Puppeteer, Playwright, or others that are considered automated traffic will be blocked by challenges.

## Common issues

### Browser extensions

Browser extensions can interfere with challenges in several ways.

* Ad blockers and content blockers may prevent challenge scripts from loading properly or block communication with Cloudflare's validation servers.
* Privacy-focused extensions like script blockers, fingerprinting protection, or canvas blockers can interfere with the challenge verification process.
* VPN or proxy extensions might trigger additional security checks or cause IP address inconsistencies.
* Browser automation tools are often detected as potential bots and may cause challenge failures.

Note

If challenges consistently fail, try temporarily disabling extensions and reload the page.

### Device emulation and developer tools

Challenges are designed to distinguish between real human users and automated traffic. When device emulation is enabled (such as through browser developer tools), it can trigger bot detection mechanisms.

* Mobile device emulation in desktop browsers often uses distinctive characteristics that differ from real mobile devices.
* Developer tools may modify browser behavior or expose debugging information that changes how challenges operate.
* Automation frameworks like Selenium, Puppeteer, or Playwright are specifically detected as non-human traffic.

Note

For developers testing applications, we recommend using real devices rather than emulated environments when possible.

If you must use emulation, be aware that challenges may be more difficult to pass, and do not reflect the real experience on mobile devices.

### WebViews and in-app browsers

Challenges may behave differently depending on embedded browser contexts.

* WebViews in mobile applications may have limited functionality compared to full browsers
* In-app browsers often have restricted JavaScript capabilities
* Email client preview windows typically cannot complete Interactive Challenges

## Troubleshooting

If your visitors consistently experience challenge issues, refer to [Challenge solve issues](https://developers.cloudflare.com/cloudflare-challenges/troubleshooting/challenge-solve-issues/) for additional troubleshooting information.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/reference/supported-browsers/","name":"Supported browsers"}}]}
```

---

---
title: Supported languages
description: Cloudflare Challenges can detect multiple languages and display the localized challenge experience, which is determined by navigator.language value. The Navigator.language read-only property returns a string representing the preferred language of the user, usually the language of the browser user interface.
image: https://developers.cloudflare.com/core-services-preview.png
---

[Skip to content](#%5Ftop) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-challenges/reference/supported-languages.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Supported languages

## Multi-language support

Cloudflare Challenges can detect multiple languages and display the localized challenge experience, which is determined by `navigator.language` value. The [Navigator.language read-only property ↗](https://developer.mozilla.org/en-US/docs/Web/API/Navigator/language) returns a string representing the preferred language of the user, usually the language of the browser user interface.

For language support specific to Challenge Pages, refer to the table below.

| Language                      | Language code(4 letters) | Language code(2 letters) |
| ----------------------------- | ------------------------ | ------------------------ |
| Arabic (Egypt)                | ar-eg                    | ar                       |
| Chinese (Simplified, China)   | zh-cn                    | zh                       |
| Chinese (Traditional, Taiwan) | zh-tw                    | \--                      |
| Dutch (Netherlands)           | nl-nl                    | nl                       |
| English (United States)       | en-us                    | en                       |
| French (France)               | fr-fr                    | fr                       |
| German (Germany)              | de-de                    | de                       |
| Indonesian (Indonesia)        | id-id                    | id                       |
| Italian (Italy)               | it-it                    | it                       |
| Japanese (Japan)              | ja-jp                    | ja                       |
| Korean (Korea)                | ko-kr                    | ko                       |
| Persian                       | \--                      | fa                       |
| Polish (Poland)               | pl-pl                    | pl                       |
| Portuguese (Brazil)           | pt-br                    | pt                       |
| Russian (Russia)              | ru-ru                    | ru                       |
| Spanish (Spain)               | es-es                    | es                       |
| Turkish (Turkey)              | tr-tr                    | tr                       |

### Turnstile language support

For language support specific to Turnstile, refer to the [Turnstile documentation](https://developers.cloudflare.com/turnstile/reference/supported-languages/).

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-challenges/","name":"Challenges"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-challenges/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-challenges/reference/supported-languages/","name":"Supported languages"}}]}
```