cloudflare · patriciasantaana · Mar 25, 2025 · Mar 20, 2025
@@ -490,7 +490,7 @@
 /firewall/cf-rulesets/rulesets-api/view/ /ruleset-engine/rulesets-api/view/ 301
 /support/page-rules/required-firewall-rule-changes-to-enable-url-normalization/ /firewall/troubleshooting/required-changes-to-enable-url-normalization/ 301
 /firewall/known-issues-and-faq/ /waf/troubleshooting/faq/ 301
-/firewall/cf-firewall-rules/cloudflare-challenges/ /waf/reference/cloudflare-challenges/ 301
+/firewall/cf-firewall-rules/cloudflare-challenges/ /fundamentals/security/cloudflare-challenges/ 301
 
 # fundamentals
 /fundamentals/account-and-billing/account-setup/ /fundamentals/subscriptions-and-billing/ 301
@@ -549,7 +549,7 @@
 /fundamentals/customizations/building-custom-dashboards/index/ /fundamentals/api/building-custom-dashboards/ 301
 /fundamentals/customizations/ /fundamentals/ 301
 /fundamentals/security/cybersafe/ /fundamentals/reference/policies-compliances/cybersafe/ 301
-/fundamentals/security/challenge-passage/ /waf/tools/challenge-passage/ 301
+/fundamentals/security/challenge-passage/ /fundamentals/security/cloudflare-challenges/challenge-passage/ 301
 /fundamentals/glossary/ /fundamentals/reference/glossary/ 301
 /fundamentals/account-and-billing/login/ /fundamentals/setup/account/login/ 301
 /fundamentals/account-and-billing/account-maintenance/delete-account/ /fundamentals/subscriptions-and-billing/delete-account/ 301
@@ -597,7 +597,7 @@
 /fundamentals/get-started/setup/minimize-downtime/ /fundamentals/performance/minimize-downtime/ 301
 /fundamentals/basic-tasks/maintenance-mode/ /fundamentals/performance/minimize-downtime/ 301
 /fundamentals/get-started/concepts/what-is-cloudflare/ https://www.cloudflare.com/learning/what-is-cloudflare/ 301
-/fundamentals/get-started/concepts/cloudflare-challenges/ /waf/reference/cloudflare-challenges/ 301
+/fundamentals/get-started/concepts/cloudflare-challenges/ /fundamentals/security/cloudflare-challenges/ 301
 /fundamentals/get-started/concepts/accounts-and-zones/ /fundamentals/setup/accounts-and-zones/ 301
 /fundamentals/get-started/concepts/cloudflare-ip-addresses/ /fundamentals/concepts/cloudflare-ip-addresses/ 301
 /fundamentals/get-started/concepts/network-layers/ /fundamentals/reference/network-layers/ 301
@@ -1404,6 +1404,8 @@
 /waf/analytics/security-events/free-plan/ /waf/analytics/security-events/ 301
 /waf/analytics/security-events/paid-plans/ /waf/analytics/security-events/ 301
 /waf/analytics/security-events/additional-information/ /waf/tools/validation-checks/ 301
+/waf/reference/cloudflare-challenges/ /fundamentals/security/cloudflare-challenges/ 301
+/waf/tools/challenge-passage/ /fundamentals/security/cloudflare-challenges/challenge-passage/ 301
 
 # waiting-room
 /waiting-room/how-to/mobile-traffic/ /waiting-room/how-to/json-response/ 301

@@ -32,7 +32,7 @@ Users may also see `100x` errors which are not reported. These will be displayed
 ## Common edge status codes
 
 - `400` - Bad Request intercepted at the Cloudflare Edge (for example, missing or bad HTTP header)
-- `403` - Security functionality (for example, Web Application Firewall, Browser Integrity Check, [Cloudflare challenges](/waf/reference/cloudflare-challenges/), and most 1xxx error codes)
+- `403` - Security functionality (for example, Web Application Firewall, Browser Integrity Check, [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/), and most 1xxx error codes)
 - `409` - DNS errors typically in the form of 1000 or 1001 error code
 - `413` - File size upload exceeded the maximum size allowed (configured in the dashboard under **Network** > **Maximum Upload Size**.)
 - `444` - Used by Nginx to indicate that the server has returned no information to the client, and closed the connection. This error code is internal to Nginx and is **not** returned to the client.

@@ -52,7 +52,7 @@ A /24 IP range that was blocked based on the [user configuration](/waf/tools/ip-
 
 ## New Challenge (user)
 
-[Challenge](/waf/reference/cloudflare-challenges/) based on user configurations set for visitor’s IP in either WAF managed rules or custom rules, configured in **Security** > **WAF**.
+[Challenge](/fundamentals/security/cloudflare-challenges/) based on user configurations set for visitor’s IP in either WAF managed rules or custom rules, configured in **Security** > **WAF**.
 
 ## Challenge error
 

@@ -7,7 +7,7 @@ title: Total threats stopped
 Total Threats Stopped measures the number of “suspicious” and “bad” requests that were aimed at your site. Requests receive these labels by our IP Reputation Database as they enter Cloudflare’s network:
 
 - **Legitimate:** Request passed directly to your site.
-- **Suspicious:** Request has been challenged with a [Cloudflare challenge](/waf/reference/cloudflare-challenges/).
+- **Suspicious:** Request has been challenged with a [Cloudflare challenge](/fundamentals/security/cloudflare-challenges/).
 - **Bad:** Request has been blocked because our Browser Integrity Check, or because of user configured settings like WAF rules or IP range block.
 
 Cloudflare uses threat scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the threat score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity.

@@ -87,7 +87,7 @@ and not any(cf.bot_management.detection_ids[*] in {3355446 12577893})
 
 ### Challenges for account takeover detections
 
-Cloudflare's [Managed Challenge](/waf/reference/cloudflare-challenges/) can limit brute-force attacks on your login endpoints.
+Cloudflare's [Managed Challenge](/fundamentals/security/cloudflare-challenges/) can limit brute-force attacks on your login endpoints.
 
 To access account takeover detections:
 

@@ -59,7 +59,7 @@ Cloudflare uses data from millions of requests and re-train the system on a peri
 
 When you choose to challenge different bot categories with Bot Fight Mode or Super Bot Fight Mode, you will see Security Events with an **Action Taken** of **Managed Challenge**.
 
-You may also see Managed Challenge due to a triggered [WAF custom rule](/waf/reference/cloudflare-challenges/#managed-challenge-recommended).
+You may also see Managed Challenge due to a triggered [WAF custom rule](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended).
 
 This does not mean that your traffic was blocked. It is the challenge sent to your user to determine whether they are likely human or likely bot.
 

@@ -78,7 +78,7 @@ You may not see any traffic matching the adaptive rules. This can be because the
 
 If you do see traffic that was _Logged_ by the adaptive rules, use the dashboard to determine if the traffic matches the characteristics of legitimate users or that of attack traffic. As each Internet property is unique, understanding if the traffic is legitimate requires your understanding of how your legitimate traffic looks. For example, the user agent, source country, headers, query string for HTTP requests, and protocols and ports for L3/4 traffic. 
 
-- In cases where you are certain that the rule is only flagging attack traffic, you should consider creating an override and enabling that rule with a [Managed Challenge](/waf/reference/cloudflare-challenges/#managed-challenge-recommended) or `Block` action.
+- In cases where you are certain that the rule is only flagging attack traffic, you should consider creating an override and enabling that rule with a [Managed Challenge](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended) or `Block` action.
 - In cases where you see legitimate traffic being flagged, you should lower the sensitivity level of the rule and observe the flagged traffic. You can continue reducing the sensitivity level until you reach a point where legitimate traffic is not flagged. Then, you should create an override to enable the rule with a mitigation action.
 - If the rule is still flagging legitimate traffic you can consider using the expression filters to condition the rules to exclude certain types of traffic.
 

@@ -30,7 +30,7 @@ The action that will be performed for requests that match specific rules of Clou
 
 - **Managed Challenge**
   - API value: `"managed_challenge"`.
-  - [Managed Challenges](/waf/reference/cloudflare-challenges/#managed-challenge-recommended) help reduce the lifetimes of human time spent solving Captchas across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria.
+  - [Managed Challenges](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended) help reduce the lifetimes of human time spent solving Captchas across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria.
 
 - **Interactive Challenge**
   - API value: `"challenge"`.

@@ -58,7 +58,7 @@ To preview what Under Attack mode looks like for your visitors:
 4. Go to **Custom Pages**.
 5. For **Managed Challenge / I'm Under Attack Mode™**, select **Custom Pages** > **View default**.
 
-The `Checking your browser before accessing...` challenge determines whether to block or allow a visitor within five seconds. After passing the challenge, the visitor does not observe another challenge until the duration configured in [Challenge Passage](/waf/tools/challenge-passage/).
+The `Checking your browser before accessing...` challenge determines whether to block or allow a visitor within five seconds. After passing the challenge, the visitor does not observe another challenge until the duration configured in [Challenge Passage](/fundamentals/security/cloudflare-challenges/challenge-passage/).
 
 ---
 

@@ -4,7 +4,7 @@ title: Challenge Passage
 
 ---
 
-When a visitor solves a [Cloudflare challenge](/waf/reference/cloudflare-challenges/) - as part of a [WAF custom rule](/waf/custom-rules/) or [IP Access rule](/waf/tools/ip-access-rules/) - you can set the **Challenge Passage** to prevent them from having to solve future challenges for a specified period of time.
+When a visitor solves a [Cloudflare challenge](/fundamentals/security/cloudflare-challenges/) - as part of a [WAF custom rule](/waf/custom-rules/) or [IP Access rule](/waf/tools/ip-access-rules/) - you can set the **Challenge Passage** to prevent them from having to solve future challenges for a specified period of time.
 
 ## How it works
 

@@ -52,15 +52,15 @@ Currently, **Managed Challenge** actions are available in the following security
 - [Rate Limiting (previous version, deprecated)](/waf/reference/legacy/old-rate-limiting/)
 - [Turnstile](/turnstile/concepts/widget/#managed-recommended)
 
-### JS challenge
+### JavaScript (JS) challenge
 
-With a JS challenge, Cloudflare presents challenge page that requires no interaction from a visitor, but rather JavaScript processing by their browser.
+With a JavaScript (JS) challenge, Cloudflare presents challenge page that requires no interaction from a visitor, but rather JavaScript processing by their browser.
 
 The visitor will have to wait until their browser finishes processing the JavaScript, which should be less than five seconds.
 
-### Interactive Challenge
+### Interactive challenge
 
-Interactive challenges require a visitor to interact with the challenge page, presenting the visitor with an interactive challenge to solve. Cloudflare does not recommend using Interactive Challenges.
+Interactive challenges require a visitor to interact with the challenge page, presenting the visitor with an interactive challenge to solve. Cloudflare does not recommend using interactive challenges.
 
 For more on why Cloudflare does not recommend using Interactive Challenge, in favor of Managed Challenge, refer to our [blog](https://blog.cloudflare.com/end-cloudflare-captcha/).
 

@@ -37,7 +37,7 @@ import { GlossaryTooltip } from "~/components";
    - [**Bot score**](/bots/concepts/bot-score/)
    - **Threat score**
    - **Request body** (for `POST`, `PUT`, and `PATCH` requests)
-   - **Skip challenge** (skips a Cloudflare-issued [challenge](/waf/reference/cloudflare-challenges/), if any, allowing the trace to continue)
+   - **Skip challenge** (skips a Cloudflare-issued [challenge](/fundamentals/security/cloudflare-challenges/), if any, allowing the trace to continue)
 
 5. Select **Send trace**.
 

@@ -26,7 +26,7 @@ The rule below is being created on the `enterprise` plan, so we are no longer li
 * The rule will also limit the number of requests to `/create-account`, but will only trigger against `POST` requests. In the basic example, even requests with the `GET` method will increment the counter.
 * Requests that do not have a [client certificate (mTLS)](/ssl/client-certificates/), will increment the counter.
 * Requests will be counted using the [IP with NAT support](/waf/rate-limiting-rules/parameters/#use-cases-of-ip-with-nat-support) characteristic.
-* Within a 1 minute period, for each counted entity, if the number of requests exceeds 10, then the user will be presented with a [`Managed Challenge`](/waf/reference/cloudflare-challenges/#managed-challenge-recommended) for a custom duration of 1 day.
+* Within a 1 minute period, for each counted entity, if the number of requests exceeds 10, then the user will be presented with a [`Managed Challenge`](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended) for a custom duration of 1 day.
 
 ![rate-limiting-advanced-config-1](~/assets/images/waf/rate-limiting-rules/rl-advanced-config.png)
 

@@ -10,7 +10,7 @@ While in [HTTP requests](/radar/investigate/http-requests) you can examine all k
 
 :::note[Mitigated traffic]
 
-Mitigated traffic is any HTTP request from an end-user that has a terminating action applied by the Cloudflare platform. These include actions like `BLOCK` or [challenges](/waf/reference/cloudflare-challenges/).
+Mitigated traffic is any HTTP request from an end-user that has a terminating action applied by the Cloudflare platform. These include actions like `BLOCK` or [challenges](/fundamentals/security/cloudflare-challenges/).
 :::
 
 Since we are examining attacks, we can inspect both sides of an attack — both the source location and the target location of the attack. For the source of the attack Cloudflare uses the location the attack is coming from associated with the IP (note that the human orchestrator of the attack may be in a different location than the computer the attack is originating from). For the target location of the attacks, Cloudflare uses the billing location associated with the zone under attack.

@@ -408,7 +408,7 @@ Customers can enable a positive security model using mTLS, JWT validation, and s
 
 ![Bot management can filter good and bad bots.](~/assets/images/reference-architecture/security/security-ref-arch-12.svg)
 
-Additionally, Cloudflare can take the action of challenging clients if it suspects undesired bot activity. Cloudflare offers its [Managed Challenge](/waf/reference/cloudflare-challenges/) platform where the appropriate type of challenge is dynamically chosen based on the characteristics of a request. This helps avoid CAPTCHAs, which result in a poor customer experience.
+Additionally, Cloudflare can take the action of challenging clients if it suspects undesired bot activity. Cloudflare offers its [Managed Challenge](/fundamentals/security/cloudflare-challenges/) platform where the appropriate type of challenge is dynamically chosen based on the characteristics of a request. This helps avoid CAPTCHAs, which result in a poor customer experience.
 
 Depending on the characteristics of a request, Cloudflare will choose an appropriate type of challenge, which may include but is not limited to:
 

@@ -36,7 +36,7 @@ Rule parameters are the following:
 
 :::caution
 
-If you create an HTML error response, make sure the `referrer` meta tag is not present in the HTML code since it will disrupt [Cloudflare challenges](/waf/reference/cloudflare-challenges/):
+If you create an HTML error response, make sure the `referrer` meta tag is not present in the HTML code since it will disrupt [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/):
 
 ```html
 <meta name="referrer" (...) />

@@ -13,7 +13,7 @@ import { Example, Render } from "~/components";
 
 ## Interaction between Cloudflare challenges and Rules features
 
-If you are issuing a [challenge](/waf/reference/cloudflare-challenges/) for a given URI path that has one or more Rules features enabled, you should exclude URI paths starting with `/cdn-cgi/challenge-platform/` in your rule expressions to avoid challenge loops.
+If you are issuing a [challenge](/fundamentals/security/cloudflare-challenges/) for a given URI path that has one or more Rules features enabled, you should exclude URI paths starting with `/cdn-cgi/challenge-platform/` in your rule expressions to avoid challenge loops.
 
 For example, define a compound expression for your rule using the `and` operator and the [`starts_with()`](/ruleset-engine/rules-language/functions/#starts_with) function:
 

@@ -108,7 +108,7 @@ This section allows you to configure multiple security-related settings. The fol
 | [JavaScript detections](/bots/reference/javascript-detections/)                                                         | **Security** > **Bots** > **Configure Super Bot Fight Mode<br/>Security** > **Bots** > **Configure Bot Management** |
 | [Auto-update machine learning model](/bots/reference/machine-learning-models/)                                          | **Security** > **Bots** > **Configure Bot Management**                                                              |
 | [Enable Security.txt](/security-center/infrastructure/security-file/)                                                   | **Security** > **Settings**                                                                                         |
-| [Challenge Passage](/waf/tools/challenge-passage/)                                                                      | **Security** > **Settings**                                                                                         |
+| [Challenge Passage](/fundamentals/security/cloudflare-challenges/challenge-passage/)                                                                      | **Security** > **Settings**                                                                                         |
 | [Browser Integrity Check](/waf/tools/browser-integrity-check/)                                                          | **Security** > **Settings**                                                                                         |
 | [Replace insecure JavaScript libraries](/waf/tools/replace-insecure-js-libraries/)                                      | **Security** > **Settings**                                                                                         |
 | [Security Level](/waf/tools/security-level/)                                                                            | **Security** > **Settings**                                                                                         |
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,7 +4,7 @@ title: Challenge Passage @@
     ---
-    When a visitor solves a [Cloudflare challenge](/waf/reference/cloudflare-challenges/) - as part of a [WAF custom rule](/waf/custom-rules/) or [IP Access rule](/waf/tools/ip-access-rules/) - you can set the **Challenge Passage** to prevent them from having to solve future challenges for a specified period of time.
+    When a visitor solves a [Cloudflare challenge](/fundamentals/security/cloudflare-challenges/) - as part of a [WAF custom rule](/waf/custom-rules/) or [IP Access rule](/waf/tools/ip-access-rules/) - you can set the **Challenge Passage** to prevent them from having to solve future challenges for a specified period of time.
     ## How it works
@@ Expand Down @@