diff --git a/public/__redirects b/public/__redirects index 9cd9d1ed45ef45b..78a0a221ddd74ba 100644 --- a/public/__redirects +++ b/public/__redirects @@ -490,7 +490,7 @@ /firewall/cf-rulesets/rulesets-api/view/ /ruleset-engine/rulesets-api/view/ 301 /support/page-rules/required-firewall-rule-changes-to-enable-url-normalization/ /firewall/troubleshooting/required-changes-to-enable-url-normalization/ 301 /firewall/known-issues-and-faq/ /waf/troubleshooting/faq/ 301 -/firewall/cf-firewall-rules/cloudflare-challenges/ /waf/reference/cloudflare-challenges/ 301 +/firewall/cf-firewall-rules/cloudflare-challenges/ /fundamentals/security/cloudflare-challenges/ 301 # fundamentals /fundamentals/account-and-billing/account-setup/ /fundamentals/subscriptions-and-billing/ 301 @@ -549,7 +549,7 @@ /fundamentals/customizations/building-custom-dashboards/index/ /fundamentals/api/building-custom-dashboards/ 301 /fundamentals/customizations/ /fundamentals/ 301 /fundamentals/security/cybersafe/ /fundamentals/reference/policies-compliances/cybersafe/ 301 -/fundamentals/security/challenge-passage/ /waf/tools/challenge-passage/ 301 +/fundamentals/security/challenge-passage/ /fundamentals/security/cloudflare-challenges/challenge-passage/ 301 /fundamentals/glossary/ /fundamentals/reference/glossary/ 301 /fundamentals/account-and-billing/login/ /fundamentals/setup/account/login/ 301 /fundamentals/account-and-billing/account-maintenance/delete-account/ /fundamentals/subscriptions-and-billing/delete-account/ 301 @@ -597,7 +597,7 @@ /fundamentals/get-started/setup/minimize-downtime/ /fundamentals/performance/minimize-downtime/ 301 /fundamentals/basic-tasks/maintenance-mode/ /fundamentals/performance/minimize-downtime/ 301 /fundamentals/get-started/concepts/what-is-cloudflare/ https://www.cloudflare.com/learning/what-is-cloudflare/ 301 -/fundamentals/get-started/concepts/cloudflare-challenges/ /waf/reference/cloudflare-challenges/ 301 +/fundamentals/get-started/concepts/cloudflare-challenges/ /fundamentals/security/cloudflare-challenges/ 301 /fundamentals/get-started/concepts/accounts-and-zones/ /fundamentals/setup/accounts-and-zones/ 301 /fundamentals/get-started/concepts/cloudflare-ip-addresses/ /fundamentals/concepts/cloudflare-ip-addresses/ 301 /fundamentals/get-started/concepts/network-layers/ /fundamentals/reference/network-layers/ 301 @@ -1404,6 +1404,8 @@ /waf/analytics/security-events/free-plan/ /waf/analytics/security-events/ 301 /waf/analytics/security-events/paid-plans/ /waf/analytics/security-events/ 301 /waf/analytics/security-events/additional-information/ /waf/tools/validation-checks/ 301 +/waf/reference/cloudflare-challenges/ /fundamentals/security/cloudflare-challenges/ 301 +/waf/tools/challenge-passage/ /fundamentals/security/cloudflare-challenges/challenge-passage/ 301 # waiting-room /waiting-room/how-to/mobile-traffic/ /waiting-room/how-to/json-response/ 301 diff --git a/src/content/docs/analytics/account-and-zone-analytics/status-codes.mdx b/src/content/docs/analytics/account-and-zone-analytics/status-codes.mdx index 896be4260d737b1..0e8ef1a47f9153d 100644 --- a/src/content/docs/analytics/account-and-zone-analytics/status-codes.mdx +++ b/src/content/docs/analytics/account-and-zone-analytics/status-codes.mdx @@ -32,7 +32,7 @@ Users may also see `100x` errors which are not reported. These will be displayed ## Common edge status codes - `400` - Bad Request intercepted at the Cloudflare Edge (for example, missing or bad HTTP header) -- `403` - Security functionality (for example, Web Application Firewall, Browser Integrity Check, [Cloudflare challenges](/waf/reference/cloudflare-challenges/), and most 1xxx error codes) +- `403` - Security functionality (for example, Web Application Firewall, Browser Integrity Check, [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/), and most 1xxx error codes) - `409` - DNS errors typically in the form of 1000 or 1001 error code - `413` - File size upload exceeded the maximum size allowed (configured in the dashboard under **Network** > **Maximum Upload Size**.) - `444` - Used by Nginx to indicate that the server has returned no information to the client, and closed the connection. This error code is internal to Nginx and is **not** returned to the client. diff --git a/src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx b/src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx index 4c35819cd91f135..94c5857a1c6cb70 100644 --- a/src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx +++ b/src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx @@ -52,7 +52,7 @@ A /24 IP range that was blocked based on the [user configuration](/waf/tools/ip- ## New Challenge (user) -[Challenge](/waf/reference/cloudflare-challenges/) based on user configurations set for visitor’s IP in either WAF managed rules or custom rules, configured in **Security** > **WAF**. +[Challenge](/fundamentals/security/cloudflare-challenges/) based on user configurations set for visitor’s IP in either WAF managed rules or custom rules, configured in **Security** > **WAF**. ## Challenge error diff --git a/src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx b/src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx index aa12f1da2328d20..18da37650ad4de7 100644 --- a/src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx +++ b/src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx @@ -7,7 +7,7 @@ title: Total threats stopped Total Threats Stopped measures the number of “suspicious” and “bad” requests that were aimed at your site. Requests receive these labels by our IP Reputation Database as they enter Cloudflare’s network: - **Legitimate:** Request passed directly to your site. -- **Suspicious:** Request has been challenged with a [Cloudflare challenge](/waf/reference/cloudflare-challenges/). +- **Suspicious:** Request has been challenged with a [Cloudflare challenge](/fundamentals/security/cloudflare-challenges/). - **Bad:** Request has been blocked because our Browser Integrity Check, or because of user configured settings like WAF rules or IP range block. Cloudflare uses threat scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the threat score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity. diff --git a/src/content/docs/bots/concepts/detection-ids.mdx b/src/content/docs/bots/concepts/detection-ids.mdx index f855a38a21d2cc0..ca368638953f89d 100644 --- a/src/content/docs/bots/concepts/detection-ids.mdx +++ b/src/content/docs/bots/concepts/detection-ids.mdx @@ -87,7 +87,7 @@ and not any(cf.bot_management.detection_ids[*] in {3355446 12577893}) ### Challenges for account takeover detections -Cloudflare's [Managed Challenge](/waf/reference/cloudflare-challenges/) can limit brute-force attacks on your login endpoints. +Cloudflare's [Managed Challenge](/fundamentals/security/cloudflare-challenges/) can limit brute-force attacks on your login endpoints. To access account takeover detections: diff --git a/src/content/docs/bots/troubleshooting.mdx b/src/content/docs/bots/troubleshooting.mdx index 319f429523689d2..ce9d81f8d11b003 100644 --- a/src/content/docs/bots/troubleshooting.mdx +++ b/src/content/docs/bots/troubleshooting.mdx @@ -59,7 +59,7 @@ Cloudflare uses data from millions of requests and re-train the system on a peri When you choose to challenge different bot categories with Bot Fight Mode or Super Bot Fight Mode, you will see Security Events with an **Action Taken** of **Managed Challenge**. -You may also see Managed Challenge due to a triggered [WAF custom rule](/waf/reference/cloudflare-challenges/#managed-challenge-recommended). +You may also see Managed Challenge due to a triggered [WAF custom rule](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended). This does not mean that your traffic was blocked. It is the challenge sent to your user to determine whether they are likely human or likely bot. diff --git a/src/content/docs/ddos-protection/managed-rulesets/adaptive-protection.mdx b/src/content/docs/ddos-protection/managed-rulesets/adaptive-protection.mdx index b96b084831007b2..ee4e2f23e194c91 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/adaptive-protection.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/adaptive-protection.mdx @@ -78,7 +78,7 @@ You may not see any traffic matching the adaptive rules. This can be because the If you do see traffic that was _Logged_ by the adaptive rules, use the dashboard to determine if the traffic matches the characteristics of legitimate users or that of attack traffic. As each Internet property is unique, understanding if the traffic is legitimate requires your understanding of how your legitimate traffic looks. For example, the user agent, source country, headers, query string for HTTP requests, and protocols and ports for L3/4 traffic. -- In cases where you are certain that the rule is only flagging attack traffic, you should consider creating an override and enabling that rule with a [Managed Challenge](/waf/reference/cloudflare-challenges/#managed-challenge-recommended) or `Block` action. +- In cases where you are certain that the rule is only flagging attack traffic, you should consider creating an override and enabling that rule with a [Managed Challenge](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended) or `Block` action. - In cases where you see legitimate traffic being flagged, you should lower the sensitivity level of the rule and observe the flagged traffic. You can continue reducing the sensitivity level until you reach a point where legitimate traffic is not flagged. Then, you should create an override to enable the rule with a mitigation action. - If the rule is still flagging legitimate traffic you can consider using the expression filters to condition the rules to exclude certain types of traffic. diff --git a/src/content/docs/ddos-protection/managed-rulesets/http/override-parameters.mdx b/src/content/docs/ddos-protection/managed-rulesets/http/override-parameters.mdx index 0f1ecbc717e50dc..f6c54ca5c662007 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/http/override-parameters.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/http/override-parameters.mdx @@ -30,7 +30,7 @@ The action that will be performed for requests that match specific rules of Clou - **Managed Challenge** - API value: `"managed_challenge"`. - - [Managed Challenges](/waf/reference/cloudflare-challenges/#managed-challenge-recommended) help reduce the lifetimes of human time spent solving Captchas across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria. + - [Managed Challenges](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended) help reduce the lifetimes of human time spent solving Captchas across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria. - **Interactive Challenge** - API value: `"challenge"`. diff --git a/src/content/docs/fundamentals/reference/under-attack-mode.mdx b/src/content/docs/fundamentals/reference/under-attack-mode.mdx index acf75f2c931d579..db9005e86bfb5a2 100644 --- a/src/content/docs/fundamentals/reference/under-attack-mode.mdx +++ b/src/content/docs/fundamentals/reference/under-attack-mode.mdx @@ -58,7 +58,7 @@ To preview what Under Attack mode looks like for your visitors: 4. Go to **Custom Pages**. 5. For **Managed Challenge / I'm Under Attack Mode™**, select **Custom Pages** > **View default**. -The `Checking your browser before accessing...` challenge determines whether to block or allow a visitor within five seconds. After passing the challenge, the visitor does not observe another challenge until the duration configured in [Challenge Passage](/waf/tools/challenge-passage/). +The `Checking your browser before accessing...` challenge determines whether to block or allow a visitor within five seconds. After passing the challenge, the visitor does not observe another challenge until the duration configured in [Challenge Passage](/fundamentals/security/cloudflare-challenges/challenge-passage/). --- diff --git a/src/content/docs/waf/tools/challenge-passage.mdx b/src/content/docs/fundamentals/security/cloudflare-challenges/challenge-passage.mdx similarity index 82% rename from src/content/docs/waf/tools/challenge-passage.mdx rename to src/content/docs/fundamentals/security/cloudflare-challenges/challenge-passage.mdx index 142dd0cb67805f0..2dbc9a6d6bb5f7d 100644 --- a/src/content/docs/waf/tools/challenge-passage.mdx +++ b/src/content/docs/fundamentals/security/cloudflare-challenges/challenge-passage.mdx @@ -4,7 +4,7 @@ title: Challenge Passage --- -When a visitor solves a [Cloudflare challenge](/waf/reference/cloudflare-challenges/) - as part of a [WAF custom rule](/waf/custom-rules/) or [IP Access rule](/waf/tools/ip-access-rules/) - you can set the **Challenge Passage** to prevent them from having to solve future challenges for a specified period of time. +When a visitor solves a [Cloudflare challenge](/fundamentals/security/cloudflare-challenges/) - as part of a [WAF custom rule](/waf/custom-rules/) or [IP Access rule](/waf/tools/ip-access-rules/) - you can set the **Challenge Passage** to prevent them from having to solve future challenges for a specified period of time. ## How it works diff --git a/src/content/docs/waf/reference/cloudflare-challenges.mdx b/src/content/docs/fundamentals/security/cloudflare-challenges/index.mdx similarity index 97% rename from src/content/docs/waf/reference/cloudflare-challenges.mdx rename to src/content/docs/fundamentals/security/cloudflare-challenges/index.mdx index ce5704878af34c0..caec7a15eb80165 100644 --- a/src/content/docs/waf/reference/cloudflare-challenges.mdx +++ b/src/content/docs/fundamentals/security/cloudflare-challenges/index.mdx @@ -52,15 +52,15 @@ Currently, **Managed Challenge** actions are available in the following security - [Rate Limiting (previous version, deprecated)](/waf/reference/legacy/old-rate-limiting/) - [Turnstile](/turnstile/concepts/widget/#managed-recommended) -### JS challenge +### JavaScript (JS) challenge -With a JS challenge, Cloudflare presents challenge page that requires no interaction from a visitor, but rather JavaScript processing by their browser. +With a JavaScript (JS) challenge, Cloudflare presents challenge page that requires no interaction from a visitor, but rather JavaScript processing by their browser. The visitor will have to wait until their browser finishes processing the JavaScript, which should be less than five seconds. -### Interactive Challenge +### Interactive challenge -Interactive challenges require a visitor to interact with the challenge page, presenting the visitor with an interactive challenge to solve. Cloudflare does not recommend using Interactive Challenges. +Interactive challenges require a visitor to interact with the challenge page, presenting the visitor with an interactive challenge to solve. Cloudflare does not recommend using interactive challenges. For more on why Cloudflare does not recommend using Interactive Challenge, in favor of Managed Challenge, refer to our [blog](https://blog.cloudflare.com/end-cloudflare-captcha/). diff --git a/src/content/docs/fundamentals/trace-request/how-to.mdx b/src/content/docs/fundamentals/trace-request/how-to.mdx index 910fc778a79e004..146060f4a39e84a 100644 --- a/src/content/docs/fundamentals/trace-request/how-to.mdx +++ b/src/content/docs/fundamentals/trace-request/how-to.mdx @@ -37,7 +37,7 @@ import { GlossaryTooltip } from "~/components"; - [**Bot score**](/bots/concepts/bot-score/) - **Threat score** - **Request body** (for `POST`, `PUT`, and `PATCH` requests) - - **Skip challenge** (skips a Cloudflare-issued [challenge](/waf/reference/cloudflare-challenges/), if any, allowing the trace to continue) + - **Skip challenge** (skips a Cloudflare-issued [challenge](/fundamentals/security/cloudflare-challenges/), if any, allowing the trace to continue) 5. Select **Send trace**. diff --git a/src/content/docs/learning-paths/application-security/rate-limiting/configurations.mdx b/src/content/docs/learning-paths/application-security/rate-limiting/configurations.mdx index 4946e53e65ebea5..a81a412fdaf3d6f 100644 --- a/src/content/docs/learning-paths/application-security/rate-limiting/configurations.mdx +++ b/src/content/docs/learning-paths/application-security/rate-limiting/configurations.mdx @@ -26,7 +26,7 @@ The rule below is being created on the `enterprise` plan, so we are no longer li * The rule will also limit the number of requests to `/create-account`, but will only trigger against `POST` requests. In the basic example, even requests with the `GET` method will increment the counter. * Requests that do not have a [client certificate (mTLS)](/ssl/client-certificates/), will increment the counter. * Requests will be counted using the [IP with NAT support](/waf/rate-limiting-rules/parameters/#use-cases-of-ip-with-nat-support) characteristic. -* Within a 1 minute period, for each counted entity, if the number of requests exceeds 10, then the user will be presented with a [`Managed Challenge`](/waf/reference/cloudflare-challenges/#managed-challenge-recommended) for a custom duration of 1 day. +* Within a 1 minute period, for each counted entity, if the number of requests exceeds 10, then the user will be presented with a [`Managed Challenge`](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended) for a custom duration of 1 day. ![rate-limiting-advanced-config-1](~/assets/images/waf/rate-limiting-rules/rl-advanced-config.png) diff --git a/src/content/docs/radar/investigate/application-layer-attacks.mdx b/src/content/docs/radar/investigate/application-layer-attacks.mdx index 7177d4d37cfdca0..937aa1bd58c1262 100644 --- a/src/content/docs/radar/investigate/application-layer-attacks.mdx +++ b/src/content/docs/radar/investigate/application-layer-attacks.mdx @@ -10,7 +10,7 @@ While in [HTTP requests](/radar/investigate/http-requests) you can examine all k :::note[Mitigated traffic] -Mitigated traffic is any HTTP request from an end-user that has a terminating action applied by the Cloudflare platform. These include actions like `BLOCK` or [challenges](/waf/reference/cloudflare-challenges/). +Mitigated traffic is any HTTP request from an end-user that has a terminating action applied by the Cloudflare platform. These include actions like `BLOCK` or [challenges](/fundamentals/security/cloudflare-challenges/). ::: Since we are examining attacks, we can inspect both sides of an attack — both the source location and the target location of the attack. For the source of the attack Cloudflare uses the location the attack is coming from associated with the IP (note that the human orchestrator of the attack may be in a different location than the computer the attack is originating from). For the target location of the attacks, Cloudflare uses the billing location associated with the zone under attack. diff --git a/src/content/docs/reference-architecture/architectures/security.mdx b/src/content/docs/reference-architecture/architectures/security.mdx index d2d00ece54b56d8..37baf2e36755cc2 100644 --- a/src/content/docs/reference-architecture/architectures/security.mdx +++ b/src/content/docs/reference-architecture/architectures/security.mdx @@ -408,7 +408,7 @@ Customers can enable a positive security model using mTLS, JWT validation, and s ![Bot management can filter good and bad bots.](~/assets/images/reference-architecture/security/security-ref-arch-12.svg) -Additionally, Cloudflare can take the action of challenging clients if it suspects undesired bot activity. Cloudflare offers its [Managed Challenge](/waf/reference/cloudflare-challenges/) platform where the appropriate type of challenge is dynamically chosen based on the characteristics of a request. This helps avoid CAPTCHAs, which result in a poor customer experience. +Additionally, Cloudflare can take the action of challenging clients if it suspects undesired bot activity. Cloudflare offers its [Managed Challenge](/fundamentals/security/cloudflare-challenges/) platform where the appropriate type of challenge is dynamically chosen based on the characteristics of a request. This helps avoid CAPTCHAs, which result in a poor customer experience. Depending on the characteristics of a request, Cloudflare will choose an appropriate type of challenge, which may include but is not limited to: diff --git a/src/content/docs/rules/custom-errors/parameters.mdx b/src/content/docs/rules/custom-errors/parameters.mdx index d3c22ec80537cee..849a549d701ce5c 100644 --- a/src/content/docs/rules/custom-errors/parameters.mdx +++ b/src/content/docs/rules/custom-errors/parameters.mdx @@ -36,7 +36,7 @@ Rule parameters are the following: :::caution -If you create an HTML error response, make sure the `referrer` meta tag is not present in the HTML code since it will disrupt [Cloudflare challenges](/waf/reference/cloudflare-challenges/): +If you create an HTML error response, make sure the `referrer` meta tag is not present in the HTML code since it will disrupt [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/): ```html diff --git a/src/content/docs/rules/reference/troubleshooting.mdx b/src/content/docs/rules/reference/troubleshooting.mdx index b484dcca3b7af80..ce86dd8a4344fb0 100644 --- a/src/content/docs/rules/reference/troubleshooting.mdx +++ b/src/content/docs/rules/reference/troubleshooting.mdx @@ -13,7 +13,7 @@ import { Example, Render } from "~/components"; ## Interaction between Cloudflare challenges and Rules features -If you are issuing a [challenge](/waf/reference/cloudflare-challenges/) for a given URI path that has one or more Rules features enabled, you should exclude URI paths starting with `/cdn-cgi/challenge-platform/` in your rule expressions to avoid challenge loops. +If you are issuing a [challenge](/fundamentals/security/cloudflare-challenges/) for a given URI path that has one or more Rules features enabled, you should exclude URI paths starting with `/cdn-cgi/challenge-platform/` in your rule expressions to avoid challenge loops. For example, define a compound expression for your rule using the `and` operator and the [`starts_with()`](/ruleset-engine/rules-language/functions/#starts_with) function: diff --git a/src/content/docs/security/settings.mdx b/src/content/docs/security/settings.mdx index ef639f1745c0e6d..3f9cfeb44ab616f 100644 --- a/src/content/docs/security/settings.mdx +++ b/src/content/docs/security/settings.mdx @@ -108,7 +108,7 @@ This section allows you to configure multiple security-related settings. The fol | [JavaScript detections](/bots/reference/javascript-detections/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** | | [Auto-update machine learning model](/bots/reference/machine-learning-models/) | **Security** > **Bots** > **Configure Bot Management** | | [Enable Security.txt](/security-center/infrastructure/security-file/) | **Security** > **Settings** | -| [Challenge Passage](/waf/tools/challenge-passage/) | **Security** > **Settings** | +| [Challenge Passage](/fundamentals/security/cloudflare-challenges/challenge-passage/) | **Security** > **Settings** | | [Browser Integrity Check](/waf/tools/browser-integrity-check/) | **Security** > **Settings** | | [Replace insecure JavaScript libraries](/waf/tools/replace-insecure-js-libraries/) | **Security** > **Settings** | | [Security Level](/waf/tools/security-level/) | **Security** > **Settings** | diff --git a/src/content/docs/support/more-dashboard-apps/cloudflare-custom-pages/configuring-custom-pages-error-and-challenge.mdx b/src/content/docs/support/more-dashboard-apps/cloudflare-custom-pages/configuring-custom-pages-error-and-challenge.mdx index a36c3f920c4e7ff..74fad28581e7e95 100644 --- a/src/content/docs/support/more-dashboard-apps/cloudflare-custom-pages/configuring-custom-pages-error-and-challenge.mdx +++ b/src/content/docs/support/more-dashboard-apps/cloudflare-custom-pages/configuring-custom-pages-error-and-challenge.mdx @@ -41,7 +41,7 @@ You can use the following custom error template to start building your page: :::caution[Warnings] - Your custom error page should include a page-specific custom error token if applicable and cannot exceed 1.43 MB. Also, it must include HTML `` and `` tags. -- Make sure that the `referrer` meta tag is not present in your custom error page's HTML code since it will disrupt [Cloudflare challenges](/waf/reference/cloudflare-challenges/): `` +- Make sure that the `referrer` meta tag is not present in your custom error page's HTML code since it will disrupt [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/): `` ::: @@ -186,7 +186,7 @@ Your custom error page cannot be blank and cannot exceed 1.43 MB. To avoid excee ## Related resources - [WAF custom rules](/waf/custom-rules/) -- [Cloudflare challenges](/waf/reference/cloudflare-challenges/) +- [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/) - [Troubleshooting Cloudflare errors](/support/troubleshooting/cloudflare-errors/) - [IP Access rules](/waf/tools/ip-access-rules/) - [Rate limiting rules](/waf/rate-limiting-rules/) diff --git a/src/content/docs/turnstile/concepts/pre-clearance-support.mdx b/src/content/docs/turnstile/concepts/pre-clearance-support.mdx index 08af89c077fbbfb..7779f88fe1dd10a 100644 --- a/src/content/docs/turnstile/concepts/pre-clearance-support.mdx +++ b/src/content/docs/turnstile/concepts/pre-clearance-support.mdx @@ -34,7 +34,7 @@ Refer to the [blog post](https://blog.cloudflare.com/integrating-turnstile-with- ## Clearance cookie duration -Clearance cookies generated by the Turnstile widget will be valid for the time specified by the zone-level Challenge Passage value. To configure the Challenge Passage setting, refer to the [WAF documentation](/waf/tools/challenge-passage/). +Clearance cookies generated by the Turnstile widget will be valid for the time specified by the zone-level Challenge Passage value. To configure the Challenge Passage setting, refer to the [Fundamentals documentation](/fundamentals/security/cloudflare-challenges/challenge-passage/). ## Setup diff --git a/src/content/docs/turnstile/concepts/widget.mdx b/src/content/docs/turnstile/concepts/widget.mdx index 401e2c731959af0..94732d41758ae7b 100644 --- a/src/content/docs/turnstile/concepts/widget.mdx +++ b/src/content/docs/turnstile/concepts/widget.mdx @@ -104,4 +104,4 @@ The widget expires when a token was issued but the user did not solve the challe ![Unsupported browser](~/assets/images/turnstile/unsupported-browser.png) -Visitors with outdated browsers or unsupported browsers will encounter this widget state. Refer to [Supported browsers](/waf/reference/cloudflare-challenges/#browser-support) for more information regarding supported browsers. \ No newline at end of file +Visitors with outdated browsers or unsupported browsers will encounter this widget state. Refer to [Supported browsers](/fundamentals/security/cloudflare-challenges/#browser-support) for more information regarding supported browsers. \ No newline at end of file diff --git a/src/content/docs/turnstile/get-started/mobile-implementation.mdx b/src/content/docs/turnstile/get-started/mobile-implementation.mdx index ee374e74bacfaca..e527ea2f6ac8db4 100644 --- a/src/content/docs/turnstile/get-started/mobile-implementation.mdx +++ b/src/content/docs/turnstile/get-started/mobile-implementation.mdx @@ -40,7 +40,7 @@ When implementing Turnstile with WebViews, the user agent must stay consistent a ## Use clearance cookies -When using [clearance cookies](/turnstile/concepts/pre-clearance-support/) with Turnstile, make sure that it is executed in the same environment where the challenges will occur, including the same browser and device configuration. The `cf_clearance` cookie will be only accepted in the same configured domain for Turnstile widget with the corresponding zone. Domains configured with the Turnstile widget must match the Cloudflare zone that issues challenges via the [WAF](/waf/reference/cloudflare-challenges/). +When using [clearance cookies](/turnstile/concepts/pre-clearance-support/) with Turnstile, make sure that it is executed in the same environment where the challenges will occur, including the same browser and device configuration. The `cf_clearance` cookie will be only accepted in the same configured domain for Turnstile widget with the corresponding zone. Domains configured with the Turnstile widget must match the Cloudflare zone that issues [challenges](/fundamentals/security/cloudflare-challenges/). If pre-clearance is done in a different environment, the clearance cookie may become invalid and lead to more issued challenges. diff --git a/src/content/docs/turnstile/get-started/supported-browsers.mdx b/src/content/docs/turnstile/get-started/supported-browsers.mdx index ab5003e17935d1f..5149527519afefa 100644 --- a/src/content/docs/turnstile/get-started/supported-browsers.mdx +++ b/src/content/docs/turnstile/get-started/supported-browsers.mdx @@ -1,7 +1,7 @@ --- pcx_content_type: concept title: Supported browsers -external_link: /waf/reference/cloudflare-challenges/#browser-support +external_link: /fundamentals/security/cloudflare-challenges/#browser-support sidebar: order: 5 diff --git a/src/content/docs/turnstile/troubleshooting/client-side-errors/error-codes.mdx b/src/content/docs/turnstile/troubleshooting/client-side-errors/error-codes.mdx index 884ad6be9975762..05694b779f7c447 100644 --- a/src/content/docs/turnstile/troubleshooting/client-side-errors/error-codes.mdx +++ b/src/content/docs/turnstile/troubleshooting/client-side-errors/error-codes.mdx @@ -25,7 +25,7 @@ When an error code is marked with `***`, it means that the remaining numbers can | `110200` | Unknown domain: Domain not allowed. | No | Turnstile was used on a domain that was not allowed for this widget to be used on. Ensure that the domain is allowed in the widget configuration via the [Cloudflare dashboard](https://dash.cloudflare.com/). | | `110420` | Invalid action: This error occurs when an unsupported or incorrectly formatted action is submitted. | No | Ensure that the action conforms to the specified structure and contains only valid characters and adheres to the documented length limitations. Refer to [client-side configurations](/turnstile/get-started/client-side-rendering/#configurations) for more information. | | `110430` | Invalid cData: This error in Turnstile refers to an issue encountered when processing Custom Data (cData). This error occurs when the cData provided does not adhere to the expected format or contains invalid characters. | No | Ensure that the cData conforms to the specified structure and contains only valid characters and adheres to the documented length limitations. Refer to [client-side configurations](/turnstile/get-started/client-side-rendering/#configurations) for more information. | -| `110500` | Unsupported browser: The visitor is using an unsupported browser. | No | Encourage the visitor to upgrade their browser or verify otherwise. Refer to [supported browsers](/waf/reference/cloudflare-challenges/#browser-support) for more information. | +| `110500` | Unsupported browser: The visitor is using an unsupported browser. | No | Encourage the visitor to upgrade their browser or verify otherwise. Refer to [Supported browsers](/fundamentals/security/cloudflare-challenges/#browser-support) for more information. | | `110510` | Inconsistent user-agent: The visitor provided an inconsistent user-agent throughout the process of solving Turnstile. | No | The visitor may have browser extensions or settings enabled to spoof their user-agent and should disable them to proceed. | | `11060*` | Challenge timed out: The visitor took too long to solve the challenge and the challenge timed out. | Yes | Retry the challenge. The visitor also may have a system clock set to a wrong date. | | `11062*` | Challenge timed out: This error is for visible mode only. The visitor took too long to solve the interactive challenge and the challenge became outdated. | Yes | Reset the widget and re-initialize it to give the visitor the chance to solve the widget again. | diff --git a/src/content/docs/waf/analytics/security-events.mdx b/src/content/docs/waf/analytics/security-events.mdx index 6ab05308f69c89d..8e16ee4327e3fb0 100644 --- a/src/content/docs/waf/analytics/security-events.mdx +++ b/src/content/docs/waf/analytics/security-events.mdx @@ -113,7 +113,7 @@ Besides the actions you can select when configuring rules in Cloudflare security For details on these actions, refer to [HTTP DDoS Attack Protection parameters](/ddos-protection/managed-rulesets/http/override-parameters/#action). -The [_Managed Challenge (Recommended)_](/waf/reference/cloudflare-challenges/#managed-challenge-recommended) action that may appear in **Sampled logs** is available in the following security features and products: WAF custom rules, rate limiting rules, Bot Fight Mode, IP Access rules, User Agent Blocking rules, and firewall rules (deprecated). +The [_Managed Challenge (Recommended)_](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended) action that may appear in **Sampled logs** is available in the following security features and products: WAF custom rules, rate limiting rules, Bot Fight Mode, IP Access rules, User Agent Blocking rules, and firewall rules (deprecated). ### Export event log data diff --git a/src/content/docs/waf/rate-limiting-rules/parameters.mdx b/src/content/docs/waf/rate-limiting-rules/parameters.mdx index ffbe6de6777d8f7..7b500291d1cbe55 100644 --- a/src/content/docs/waf/rate-limiting-rules/parameters.mdx +++ b/src/content/docs/waf/rate-limiting-rules/parameters.mdx @@ -151,7 +151,7 @@ Once the rate is reached, the rate limiting rule applies the rule action to furt In the dashboard, select one of the available values, which [vary according to your Cloudflare plan](/waf/rate-limiting-rules/#availability). The available API values are: `0`, `10`, `60` (one minute), `120` (two minutes), `300` (five minutes), `600` (10 minutes), `3600` (one hour), or `86400` (one day). -Customers on Free, Pro, and Business plans cannot select a duration when using a [challenge action](/waf/reference/cloudflare-challenges/#available-challenges) — their rate limiting rule will always perform request throttling for these actions. With request throttling, you do not define a duration. When visitors pass a challenge, their corresponding [request counter](/waf/rate-limiting-rules/request-rate/) is set to zero. When visitors with the same values for the rule characteristics make enough requests to trigger the rate limiting rule again, they will receive a new challenge. +Customers on Free, Pro, and Business plans cannot select a duration when using a [challenge action](/fundamentals/security/cloudflare-challenges/#available-challenges) — their rate limiting rule will always perform request throttling for these actions. With request throttling, you do not define a duration. When visitors pass a challenge, their corresponding [request counter](/waf/rate-limiting-rules/request-rate/) is set to zero. When visitors with the same values for the rule characteristics make enough requests to trigger the rate limiting rule again, they will receive a new challenge. Enterprise customers can always configure a duration (or mitigation timeout), even when using one of the challenge actions. diff --git a/src/content/docs/waf/reference/legacy/old-rate-limiting/index.mdx b/src/content/docs/waf/reference/legacy/old-rate-limiting/index.mdx index 5482ddecb92cd02..1eba3a41d99a119 100644 --- a/src/content/docs/waf/reference/legacy/old-rate-limiting/index.mdx +++ b/src/content/docs/waf/reference/legacy/old-rate-limiting/index.mdx @@ -125,7 +125,7 @@ Rate limit actions are based on the domain plan as mentioned in [Availability](# - **Interactive Challenge**: Visitor must pass an Interactive Challenge. If passed, Cloudflare allows the request. - **Log**: Requests are logged in [Cloudflare Logs](/logs/). This helps test rules before applying to production. -For more information on challenge actions, refer to [Cloudflare challenges](/waf/reference/cloudflare-challenges/). +For more information on challenge actions, refer to [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/). #### Ban duration diff --git a/src/content/docs/waf/tools/ip-access-rules/actions.mdx b/src/content/docs/waf/tools/ip-access-rules/actions.mdx index 4d7ca0ed62ab472..993f0cae58d3072 100644 --- a/src/content/docs/waf/tools/ip-access-rules/actions.mdx +++ b/src/content/docs/waf/tools/ip-access-rules/actions.mdx @@ -14,7 +14,7 @@ An IP Access rule can perform one of the following actions: - **Allow**: Excludes visitors from all security checks, including [Browser Integrity Check](/waf/tools/browser-integrity-check/), [Under Attack mode](/fundamentals/reference/under-attack-mode/), and the WAF. Use this option when a trusted visitor is being blocked by Cloudflare's default security features. The _Allow_ action takes precedence over the _Block_ action. Note that allowing a given country code will not bypass WAF managed rules (previous and new versions). -- **Managed Challenge**: Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge from a list of possible actions. For more information, refer to [Cloudflare challenges](/waf/reference/cloudflare-challenges/#managed-challenge-recommended). +- **Managed Challenge**: Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge from a list of possible actions. For more information, refer to [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended). - **JavaScript Challenge**: Presents the [Under Attack mode](/fundamentals/reference/under-attack-mode/) interstitial page to visitors. The visitor or client must support JavaScript. Useful for blocking DDoS attacks with minimal impact to legitimate visitors. diff --git a/src/content/docs/waf/troubleshooting/faq.mdx b/src/content/docs/waf/troubleshooting/faq.mdx index 3853c3a15929e1d..8d0bd4e2dc01791 100644 --- a/src/content/docs/waf/troubleshooting/faq.mdx +++ b/src/content/docs/waf/troubleshooting/faq.mdx @@ -161,7 +161,7 @@ Block Amazon Web Services (AWS) and Google Cloud Platform (GCP) because of large Previously, unless you customize your front-end application, any AJAX request that is challenged will fail because AJAX calls are not rendered in the DOM. -Now, you can [opt-in to Turnstile’s Pre-Clearance cookies](/turnstile/concepts/pre-clearance-support/). This allows you to issue a challenge early in your web application flow and pre-clear users to interact with sensitive APIs. Clearance cookies issued by a Turnstile widget are automatically applied to the Cloudflare zone that the Turnstile widget is embedded on, with no configuration necessary. The duration of the clearance cookie’s validity is controlled by the zone-specific configurable [Challenge Passage](/waf/tools/challenge-passage/) security setting. +Now, you can [opt-in to Turnstile’s Pre-Clearance cookies](/turnstile/concepts/pre-clearance-support/). This allows you to issue a challenge early in your web application flow and pre-clear users to interact with sensitive APIs. Clearance cookies issued by a Turnstile widget are automatically applied to the Cloudflare zone that the Turnstile widget is embedded on, with no configuration necessary. The duration of the clearance cookie’s validity is controlled by the zone-specific configurable [Challenge Passage](/fundamentals/security/cloudflare-challenges/challenge-passage/) security setting. ### Why would I not find any failed challenges? diff --git a/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx b/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx index 79ea07e38148092..6369c3256cfd49c 100644 --- a/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx +++ b/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx @@ -59,7 +59,7 @@ If you require a specific `SameSite` configuration in your session affinity cook ## Known issues with SameSite and `cf_clearance` cookies -When a visitor solves a [challenge](/waf/reference/cloudflare-challenges/) presented due to a [WAF custom rule](/waf/custom-rules/) or an [IP Access rule](/waf/tools/ip-access-rules/), a `cf_clearance` cookie is set in the visitor's browser. The `cf_clearance` cookie has a default lifetime of 30 minutes, which you can configure via [Challenge Passage](/waf/tools/challenge-passage/). +When a visitor solves a [challenge](/fundamentals/security/cloudflare-challenges/) presented due to a [WAF custom rule](/waf/custom-rules/) or an [IP Access rule](/waf/tools/ip-access-rules/), a `cf_clearance` cookie is set in the visitor's browser. The `cf_clearance` cookie has a default lifetime of 30 minutes, which you can configure via [Challenge Passage](/fundamentals/security/cloudflare-challenges/challenge-passage/). Cloudflare uses `SameSite=None` in the `cf_clearance` cookie so that visitor requests from different hostnames are not met with later challenges or errors. When `SameSite=None` is used, it must be set in conjunction with the `Secure` flag. diff --git a/src/content/partials/bots/javascript-detections-implementation.mdx b/src/content/partials/bots/javascript-detections-implementation.mdx index ff7287381f85788..e0a510377c7381a 100644 --- a/src/content/partials/bots/javascript-detections-implementation.mdx +++ b/src/content/partials/bots/javascript-detections-implementation.mdx @@ -9,7 +9,7 @@ When adding this field to WAF custom rules, use it: * On endpoints expecting browser traffic (avoiding native mobile applications or websocket endpoints). * After a user's first request to your application (Cloudflare needs at least one HTML request before injecting JavaScript detection). -* With the [Managed Challenge action](/waf/reference/cloudflare-challenges/#managed-challenge-recommended), because there are legitimate reasons a user might not have passed a JavaScript detection challenge (network issues, ad blockers, disabled JavaScript in browser, native mobile apps). +* With the [Managed Challenge action](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended), because there are legitimate reasons a user might not have passed a JavaScript detection challenge (network issues, ad blockers, disabled JavaScript in browser, native mobile apps). ### Prerequisites diff --git a/src/content/partials/turnstile/challenge-behavior.mdx b/src/content/partials/turnstile/challenge-behavior.mdx index e4e5f15c7cec8c0..ba3362ca2477671 100644 --- a/src/content/partials/turnstile/challenge-behavior.mdx +++ b/src/content/partials/turnstile/challenge-behavior.mdx @@ -3,6 +3,6 @@ --- -Cloudflare issues challenges through the [Challenge Platform](/waf/reference/cloudflare-challenges/), which is the same underlying technology powering [Turnstile](/turnstile/). +Cloudflare issues challenges through the [Challenge Platform](/fundamentals/security/cloudflare-challenges/), which is the same underlying technology powering [Turnstile](/turnstile/). In contrast to our Challenge page offerings, Turnstile allows you to run challenges anywhere on your site in a less-intrusive way without requiring the use of Cloudflare’s CDN. diff --git a/src/content/partials/turnstile/troubleshooting-steps.mdx b/src/content/partials/turnstile/troubleshooting-steps.mdx index 651a141c08a49b4..6ef5da3df3d056c 100644 --- a/src/content/partials/turnstile/troubleshooting-steps.mdx +++ b/src/content/partials/turnstile/troubleshooting-steps.mdx @@ -5,7 +5,7 @@ 1. Verify your browser compatibility. - Turnstile supports all major browsers, except Internet Explorer. - - Ensure your browser is up to date. For more information, refer to our [Supported browsers](/waf/reference/cloudflare-challenges/#supported-browsers). + - Ensure your browser is up to date. For more information, refer to our [Supported browsers](/fundamentals/security/cloudflare-challenges/#supported-browsers). 2. Disable your browser extensions. - Some browser extensions, such as ad blockers, may block the scripts Turnstile needs to operate. - Temporarily disable all extensions and reload the page. diff --git a/src/content/partials/turnstile/turnstile/challenge-behavior.mdx b/src/content/partials/turnstile/turnstile/challenge-behavior.mdx index e4e5f15c7cec8c0..ba3362ca2477671 100644 --- a/src/content/partials/turnstile/turnstile/challenge-behavior.mdx +++ b/src/content/partials/turnstile/turnstile/challenge-behavior.mdx @@ -3,6 +3,6 @@ --- -Cloudflare issues challenges through the [Challenge Platform](/waf/reference/cloudflare-challenges/), which is the same underlying technology powering [Turnstile](/turnstile/). +Cloudflare issues challenges through the [Challenge Platform](/fundamentals/security/cloudflare-challenges/), which is the same underlying technology powering [Turnstile](/turnstile/). In contrast to our Challenge page offerings, Turnstile allows you to run challenges anywhere on your site in a less-intrusive way without requiring the use of Cloudflare’s CDN. diff --git a/src/content/partials/turnstile/turnstile/troubleshooting-steps.mdx b/src/content/partials/turnstile/turnstile/troubleshooting-steps.mdx index 9c4f3241ecd264c..40357cbfba788df 100644 --- a/src/content/partials/turnstile/turnstile/troubleshooting-steps.mdx +++ b/src/content/partials/turnstile/turnstile/troubleshooting-steps.mdx @@ -3,26 +3,26 @@ --- -* Verify your browser compatibility: Ensure that the browser you are using is one of the supported browsers for Turnstile and the browser is up to date. Refer to [supported browsers](/waf/reference/cloudflare-challenges/#browser-support) for more information. +- Verify your browser compatibility: Ensure that the browser you are using is one of the supported browsers for Turnstile and the browser is up to date. Refer to [Supported browsers](/fundamentals/security/cloudflare-challenges/#browser-support) for more information. -* Clear your browser cache and cookies: Refer to the guides below on how to clear your browser cache and cookies based on your preferred browser. - * [Google Chrome](https://support.google.com/accounts/answer/32050?hl=en\&co=GENIE.Platform%3DDesktop) - * [Mozilla Firefox](https://support.mozilla.org/kb/clear-cookies-and-site-data-firefox) - * Safari - * [Desktop](https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac) - * [Mobile](https://support.apple.com/105082) - * [Microsoft Edge](https://support.microsoft.com/windows/manage-cookies-in-microsoft-edge-view-allow-block-delete-and-use-168dab11-0753-043d-7c16-ede5947fc64d) +- Clear your browser cache and cookies: Refer to the guides below on how to clear your browser cache and cookies based on your preferred browser. + - [Google Chrome](https://support.google.com/accounts/answer/32050?hl=en\&co=GENIE.Platform%3DDesktop) + - [Mozilla Firefox](https://support.mozilla.org/kb/clear-cookies-and-site-data-firefox) + - Safari + - [Desktop](https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac) + - [Mobile](https://support.apple.com/105082) + - [Microsoft Edge](https://support.microsoft.com/windows/manage-cookies-in-microsoft-edge-view-allow-block-delete-and-use-168dab11-0753-043d-7c16-ede5947fc64d) -* Disable all browser extensions. +- Disable all browser extensions. -* Ensure that JavaScript is enabled. +- Ensure that JavaScript is enabled. -* Confirm that cookies are enabled. +- Confirm that cookies are enabled. -* Try again in incognito or private mode. +- Try again in incognito or private mode. -* Test with another browser or device. +- Test with another browser or device. -* Ensure that you are not behind a VPN or proxy. +- Ensure that you are not behind a VPN or proxy. -* Try from a different network. +- Try from a different network. diff --git a/src/content/partials/waf/security-level-description.mdx b/src/content/partials/waf/security-level-description.mdx index 19aebda9277ba4b..e23e5053c6d16d2 100644 --- a/src/content/partials/waf/security-level-description.mdx +++ b/src/content/partials/waf/security-level-description.mdx @@ -2,4 +2,4 @@ {} --- -Cloudflare's Security Level uses the threat score (IP reputation) to decide whether to present a [challenge](/waf/reference/cloudflare-challenges/) to the visitor. Once the visitor enters the correct challenge, they receive the appropriate website resources. +Cloudflare's Security Level uses the threat score (IP reputation) to decide whether to present a [challenge](/fundamentals/security/cloudflare-challenges/) to the visitor. Once the visitor enters the correct challenge, they receive the appropriate website resources.