You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-challenges/concepts/clearance.mdx
+64-1Lines changed: 64 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,5 +4,68 @@ title: Clearance
4
4
sidebar:
5
5
order: 2
6
6
---
7
+
import { Render } from"~/components";
7
8
8
-
Clearance tokens and clearance cookies
9
+
## `cf-clearance` cookies
10
+
11
+
A `cf-clearance` cookie proves to Cloudflare that the visitor is a verified human and has passed the challenge presented to them.
12
+
13
+
If a visitor passes an interactive challenge (highest security level), then the `cf-clearance` cookie indicates this to the origin and allows the visitor to bypass any other challenge on the website, whether it is another interactive challenge, a managed challenge, or a non-interactive JavaScript challenge for as long as the cookie is valid.
14
+
15
+
If a visitor receives a `cf-clearance` cookie on a page that uses a WAF rule with managed or JavaScript challenge (lower security levels), then encountering a different page with a higher security clearance level challenge will prompt them to solve the challenge again.
16
+
17
+
The original `cf-clearance` cookie that was issued to the visitor from a lower security clearance level challenge will be replaced with the new `cf-clearance` cookie from a higher security clearance level challenge.
18
+
19
+
## Pre-clearance support in Turnstile
20
+
21
+
Pre-clearance in [Turnstile](/turnstile/) allows websites to streamline user experiences by using `cf-clearance` cookies. The `cf-clearance` cookie enables visitors to bypass WAF challenges downstream, based on the security clearance level set by the customer. This can be particularly useful for trusted visitors, enhancing usability while maintaining security.
22
+
23
+
By default, Turnstile issues a one-time use token to the visitor when they solve a challenge via the widget. The token goes to your website's backend that needs to be validated by Siteverify API.
When you enable pre-clearance support on Turnstile, a `cf-clearance` cookie is issued to the visitor in addition to the default Turnstile token.
37
+
38
+
You can integrate Cloudflare Challenges by allowing Turnstile to issue a `cf-clearance` cookie as pre-clearance to your visitor. The pre-clearance level is set upon widget creation or widget modification using the Turnstile API's clearance_level. Possible values for the configuration are:
39
+
40
+
-`interactive`
41
+
-`managed`
42
+
-`jschallenge`
43
+
-`no_clearance`
44
+
45
+
All widgets have pre-clearance mode set to `false` and the security clearance is set to `no_clearance` by default.
46
+
47
+
For Enterprise customers eligible to enable widgets without any pre-configured hostnames, Cloudflare recommends issuing pre-clearance cookies on widgets where at least one hostname is specified and is the same as the zone that you want to integrate with Turnstile.
48
+
49
+
Refer to the [blog post](https://blog.cloudflare.com/integrating-turnstile-with-the-cloudflare-waf-to-challenge-fetch-requests) for more details on how pre-clearance works with WAF.
50
+
51
+
### Pre-clearance level options
52
+
53
+
**Interactive** (High) `interactive`
54
+
55
+
Allows a user with a clearance cookie to not be challenged by Interactive, Managed Challenge, or JavaScript Challenge Firewall Rules.
56
+
57
+
**Managed** (Medium) `managed`
58
+
59
+
Allows a user with a clearance cookie to not be challenged by Managed Challenge or JavaScript Challenge Firewall Rules.
60
+
61
+
**Non-interactive** (Low) `jschallenge`
62
+
63
+
Allows a user with a clearance cookie to not be challenged by JavaScript Challenge Firewall Rules.
64
+
65
+
### Clearance cookie duration
66
+
67
+
Clearance cookies generated by the Turnstile widget will be valid for the time specified by the zone-level Challenge Passage value. To configure the Challenge Passage setting, refer to the [Cloudflare Challenges documentation](/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage/).
68
+
69
+
### Setup
70
+
71
+
To set up pre-clearance cookies for Turnstile, refer to [Enable pre-clearance cookies](/turnstile/get-started/pre-clearance/).
0 commit comments