|
| 1 | +--- |
| 2 | +pcx_content_type: concept |
| 3 | +title: Challenge pages |
| 4 | +sidebar: |
| 5 | + order: 1 |
| 6 | +--- |
| 7 | + |
| 8 | +The types of available challenge pages function similarly. The main difference between the challenges are when and if an interaction is presented to the visitor. |
| 9 | + |
| 10 | +Managed challenges will rarely present the visitor with an interactive challenge, except in cases where Cloudflare cannot verify the legitimacy of the visitor. |
| 11 | + |
| 12 | +JavaScript challenges never present the visitor with an interactive challenge. |
| 13 | + |
| 14 | +Interactive challenges present the visitor with a simple and solvable challenge, such as selecting a checkbox, to verify their legitimacy. |
| 15 | + |
| 16 | +Refer to the information below for more details on available challenges. |
| 17 | + |
| 18 | +## Available challenges |
| 19 | + |
| 20 | +### Managed challenge (recommended) |
| 21 | + |
| 22 | +Managed challenges are where Cloudflare dynamically chooses the appropriate type of challenge based on the characteristics of a request. This helps avoid [CAPTCHAs](https://www.cloudflare.com/learning/bots/how-captchas-work/), which also reduces the lifetimes of human time spent solving CAPTCHAs across the Internet. |
| 23 | + |
| 24 | +Unless there are specific compatibility issues or other reasons to use other types of challenges, you should use managed challenges for your various custom rules. |
| 25 | + |
| 26 | +:::caution |
| 27 | +Using Cloudflare challenges along with Rules features may cause challenge loops. Refer to [Rules troubleshooting](/rules/reference/troubleshooting/) for more information. |
| 28 | +::: |
| 29 | + |
| 30 | +### JavaScript challenge |
| 31 | + |
| 32 | +With a JavaScript (JS) challenge, Cloudflare presents a challenge page that requires no interaction from a visitor except the JavaScript processed by their browser. |
| 33 | + |
| 34 | +The visitor must wait until their browser finishes processing the JavaScript, which should be less than five seconds. |
| 35 | + |
| 36 | +### Interactive challenge |
| 37 | + |
| 38 | +Interactive challenges require a visitor to interact with the interstitial challenge page, presenting the visitor with an interactive challenge to solve. Cloudflare does not recommend using Interactive Challenges. |
| 39 | +For more on why Cloudflare does not recommend using Interactive Challenge, in favor of Managed Challenge, refer to our [blog post](https://blog.cloudflare.com/end-cloudflare-captcha/). |
| 40 | + |
| 41 | +--- |
| 42 | + |
| 43 | +## Detect a challenge page response |
| 44 | + |
| 45 | +When a request encounters a Cloudflare challenge page instead of the originally anticipated response, the challenge page response (regardless of the challenge page type) will have the `cf-mitigated` header present and set to `challenge`. This header can be leveraged to detect if a response was challenged when making fetch/XHR requests. This header provides a reliable way to identify whether a response is a challenge or not, enabling a web application to take appropriate action based on the result. For example, a front-end application encountering a response from the backend may check the presence of this header value to handle cases where challenge pages encountered unexpectedly. |
| 46 | + |
| 47 | +:::note |
| 48 | +Regardless of the requested resource-type, the content-type of a challenge will be `text/html`. |
| 49 | +::: |
| 50 | + |
| 51 | +For the `cf-mitigated` header, `challenge` is the only valid value. The header is set for all challenge page types. |
| 52 | + |
| 53 | +To illustrate, here is a JavaScript code snippet that demonstrates how to use the `cf-mitigated` header to detect whether a response was challenged: |
| 54 | + |
| 55 | +```js |
| 56 | +fetch("/my-api-endpoint").then((response) => { |
| 57 | + if (response.headers.get("cf-mitigated") === "challenge") { |
| 58 | + // Handle challenged response |
| 59 | + } else { |
| 60 | + // Process response as usual |
| 61 | + } |
| 62 | +}); |
| 63 | +``` |
| 64 | + |
| 65 | +For additional help, refer to [our FAQ](/fundamentals/security/cloudflare-challenges/troubleshooting/frequently-asked-questions/). |
| 66 | + |
| 67 | +--- |
| 68 | + |
| 69 | +## Resolve a challenge |
| 70 | + |
| 71 | +If a visitor encounters a challenge, Cloudflare employees cannot remove that challenge. Only the website owner can configure their Cloudflare settings to stop the challenge being presented. |
| 72 | + |
| 73 | +When observing a Cloudflare Challenge page, a visitor could: |
| 74 | + |
| 75 | +- Successfully pass the challenge to visit the website. |
| 76 | +- Request the website owner to allow their IP address. |
| 77 | +- Scan their computer for malicious programs (it may be infected). |
| 78 | +- Check their antivirus or firewall service to make sure it is not blocking access to the challenge resources (for example, images). |
| 79 | + |
| 80 | +:::note |
| 81 | +Visitors must enable JavaScript and cookies on their browser to be able to pass any type of challenge. |
| 82 | +::: |
| 83 | + |
| 84 | +--- |
| 85 | + |
| 86 | +## Challenge Passage |
| 87 | + |
| 88 | +When a visitor solves a [Cloudflare challenge](/fundamentals/security/cloudflare-challenges/) - as part of a [WAF custom rule](/waf/custom-rules/) or [IP Access rule](/waf/tools/ip-access-rules/) - you can set the **Challenge Passage** to prevent them from having to solve future challenges for a specified period of time. |
| 89 | + |
| 90 | +### How it works |
| 91 | + |
| 92 | +When a visitor successfully solves a challenge, Cloudflare sets a [`cf_clearance` cookie](/fundamentals/reference/policies-compliances/cloudflare-cookies/#additional-cookies-used-by-the-challenge-platform) in their browser. This cookie specifies the duration your website is accessible to that visitor. |
| 93 | + |
| 94 | +When that visitor tries to access other parts of your website, Cloudflare evaluates the cookie before presenting another challenge. If the cookie is still valid, no challenges will be shown. |
| 95 | + |
| 96 | +When Cloudflare evaluates a `cf_clearance` cookie, a few extra minutes are included to account for clock skew. For XmlHTTP requests, an extra hour is added to the validation time to prevent breaking XmlHTTP requests for pages that set short lifetimes. |
| 97 | + |
| 98 | +### Customize the Challenge Passage |
| 99 | + |
| 100 | +By default, the `cf_clearance` cookie has a lifetime of 30 minutes. Cloudflare recommends a setting between 15 and 45 minutes. |
| 101 | + |
| 102 | +To update the Challenge Passage (and the value of the `cf_clearance` cookie): |
| 103 | + |
| 104 | +1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com). |
| 105 | +2. Select your account and domain. |
| 106 | +3. Go to **Security** > **Settings**. |
| 107 | +4. For **Challenge Passage**, select a duration. |
| 108 | + |
| 109 | +### Limitations |
| 110 | + |
| 111 | +The Challenge Passage does not apply to challenges issued by WAF managed rules. Also, Challenge Passage does not apply to rate limiting rules unless the rate limit is configured to issue a challenge. |
| 112 | + |
| 113 | +--- |
| 114 | + |
| 115 | +## Additional configuration |
| 116 | + |
| 117 | +### Multi-language support |
| 118 | + |
| 119 | +Refer to [supported languages](/fundamentals/security/cloudflare-challenges/reference/supported-languages/) for more information. |
| 120 | + |
| 121 | +### Favicon customization |
| 122 | + |
| 123 | +Cloudflare challenges take the favicon of your website using `GET /favicon.ico` and displays it on the challenge page. |
| 124 | + |
| 125 | +You can customize your favicon by using the HTML snippet below. |
| 126 | + |
| 127 | +```html title="HTML element" |
| 128 | +<link rel="shortcut icon" href="<FAVICON_LINK>" /> |
| 129 | +``` |
0 commit comments