diff --git a/public/__redirects b/public/__redirects index 610a88c8836bc93..0277b3bdd9bc8f7 100644 --- a/public/__redirects +++ b/public/__redirects @@ -218,7 +218,7 @@ /support/other-languages/deutsch/cloudflare-bot/ /bots/troubleshooting/ 301 /bots/reference/verified-bot-categories/ /bots/concepts/bot/verified-bots/categories/ 301 /bots/reference/verified-bot-policy/ /bots/concepts/bot/verified-bots/policy/ 301 -/bots/concepts/challenge-solve-rate/ /fundamentals/security/cloudflare-challenges/challenge-solve-rate/ 301 +/bots/concepts/challenge-solve-rate/ /cloudflare-challenges/reference/challenge-solve-rate/ 301 /bots/concepts/detection-ids/ /bots/additional-configurations/detection-ids/ 301 /bots/concepts/ja3-ja4-fingerprint/ /bots/additional-configurations/ja3-ja4-fingerprint/ 301 /bots/concepts/signals-intelligence/ /bots/additional-configurations/ja3-ja4-fingerprint/signals-intelligence/ 301 @@ -502,7 +502,7 @@ /firewall/cf-rulesets/custom-rules/rate-limiting/ /waf/rate-limiting-rules/ 301 /support/page-rules/required-firewall-rule-changes-to-enable-url-normalization/ /firewall/troubleshooting/required-changes-to-enable-url-normalization/ 301 /firewall/known-issues-and-faq/ /waf/troubleshooting/faq/ 301 -/firewall/cf-firewall-rules/cloudflare-challenges/ /fundamentals/security/cloudflare-challenges/ 301 +/firewall/cf-firewall-rules/cloudflare-challenges/ /cloudflare-challenges/ 301 # fundamentals /fundamentals/account-and-billing/account-setup/ /fundamentals/subscriptions-and-billing/ 301 @@ -554,7 +554,7 @@ /fundamentals/global-configurations/ /fundamentals/ 301 /fundamentals/customizations/ /fundamentals/ 301 /fundamentals/security/cybersafe/ /fundamentals/reference/policies-compliances/cybersafe/ 301 -/fundamentals/security/challenge-passage/ /fundamentals/security/cloudflare-challenges/challenge-passage/ 301 +/fundamentals/security/challenge-passage/ /cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage 301 /fundamentals/glossary/ /fundamentals/reference/glossary/ 301 /fundamentals/account-and-billing/login/ /fundamentals/setup/account/login/ 301 /fundamentals/account-and-billing/account-maintenance/delete-account/ /fundamentals/subscriptions-and-billing/delete-account/ 301 @@ -591,7 +591,7 @@ /fundamentals/get-started/setup/minimize-downtime/ /fundamentals/performance/minimize-downtime/ 301 /fundamentals/basic-tasks/maintenance-mode/ /fundamentals/performance/minimize-downtime/ 301 /fundamentals/get-started/concepts/what-is-cloudflare/ https://www.cloudflare.com/learning/what-is-cloudflare/ 301 -/fundamentals/get-started/concepts/cloudflare-challenges/ /fundamentals/security/cloudflare-challenges/ 301 +/fundamentals/get-started/concepts/cloudflare-challenges/ /cloudflare-challenges/ 301 /fundamentals/get-started/concepts/accounts-and-zones/ /fundamentals/setup/accounts-and-zones/ 301 /fundamentals/get-started/concepts/cloudflare-ip-addresses/ /fundamentals/concepts/cloudflare-ip-addresses/ 301 /fundamentals/get-started/concepts/network-layers/ /fundamentals/reference/network-layers/ 301 @@ -673,6 +673,9 @@ /fundamentals/concepts/the-internet/ https://www.cloudflare.com/learning/network-layer/how-does-the-internet-work/ 301 /fundamentals/concepts/free-plan/ /fundamentals/subscriptions-and-billing/free-plan/ 301 /fundamentals/setup/manage-domains/connect-your-domain/ /fundamentals/setup/manage-domains/add-site/ 301 +/fundamentals/security/cloudflare-challenges/challenge-passage/ /cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage 301 +/fundamentals/security/cloudflare-challenges/challenge-solve-rate/ /cloudflare-challenges/reference/challenge-solve-rate/ 301 +/fundamentals/security/cloudflare-challenges/challenge-solve-issues/ /cloudflare-challenges/troubleshooting/challenge-solve-issues/ 301 # gateway /gateway/about/ /cloudflare-one/policies/gateway/ 301 @@ -1338,7 +1341,7 @@ /turnstile/migration/migrating-from-hcaptcha/ /turnstile/migration/hcaptcha/ 301 /turnstile/concepts/widget-types/ /turnstile/concepts/widget/ 301 /turnstile/concepts/domain-management/ /turnstile/concepts/hostname-management/ 301 -/turnstile/troubleshooting/challenge-solve-issues/ /fundamentals/security/cloudflare-challenges/challenge-solve-issues/ 301 +/turnstile/troubleshooting/challenge-solve-issues/ /cloudflare-challenges/troubleshooting/challenge-solve-issues/ 301 # waf /waf/about/ /waf/concepts/ 301 @@ -1375,8 +1378,8 @@ /waf/analytics/security-events/free-plan/ /waf/analytics/security-events/ 301 /waf/analytics/security-events/paid-plans/ /waf/analytics/security-events/ 301 /waf/analytics/security-events/additional-information/ /waf/tools/validation-checks/ 301 -/waf/reference/cloudflare-challenges/ /fundamentals/security/cloudflare-challenges/ 301 -/waf/tools/challenge-passage/ /fundamentals/security/cloudflare-challenges/challenge-passage/ 301 +/waf/reference/cloudflare-challenges/ /cloudflare-challenges/ 301 +/waf/tools/challenge-passage/ /cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage 301 # waiting-room /waiting-room/how-to/mobile-traffic/ /waiting-room/how-to/json-response/ 301 diff --git a/src/content/docs/analytics/account-and-zone-analytics/status-codes.mdx b/src/content/docs/analytics/account-and-zone-analytics/status-codes.mdx index 7f17c60e1be638c..915fe7a3d871620 100644 --- a/src/content/docs/analytics/account-and-zone-analytics/status-codes.mdx +++ b/src/content/docs/analytics/account-and-zone-analytics/status-codes.mdx @@ -32,7 +32,7 @@ Users may also see `100x` errors which are not reported. These will be displayed ## Common edge status codes - `400` - Bad Request intercepted at the Cloudflare Edge (for example, missing or bad HTTP header) -- `403` - Security functionality (for example, Web Application Firewall, Browser Integrity Check, [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/), and most 1xxx error codes) +- `403` - Security functionality (for example, Web Application Firewall, Browser Integrity Check, [Cloudflare challenges](/cloudflare-challenges/), and most 1xxx error codes) - `409` - DNS errors typically in the form of 1000 or 1001 error code - `413` - File size upload exceeded the maximum size allowed (configured in the dashboard under **Network** > **Maximum Upload Size**.) - `444` - Used by Nginx to indicate that the server has returned no information to the client, and closed the connection. This error code is internal to Nginx and is **not** returned to the client. diff --git a/src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx b/src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx index fc2a7129fe74134..75f6447bb4ca418 100644 --- a/src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx +++ b/src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx @@ -52,7 +52,7 @@ A /24 IP range that was blocked based on the [user configuration](/waf/tools/ip- ## New Challenge (user) -[Challenge](/fundamentals/security/cloudflare-challenges/) based on user configurations set for visitor’s IP in either WAF managed rules or custom rules, configured in **Security** > **WAF**. +[Challenge](/cloudflare-challenges/) based on user configurations set for visitor’s IP in either WAF managed rules or custom rules, configured in **Security** > **WAF**. ## Challenge error diff --git a/src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx b/src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx index 56188fe45e25149..4dc8a0b3b01d877 100644 --- a/src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx +++ b/src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx @@ -7,7 +7,7 @@ title: Total threats stopped Total Threats Stopped measures the number of “suspicious” and “bad” requests that were aimed at your site. Requests receive these labels as they enter Cloudflare’s network: - **Legitimate:** Request passed directly to your site. -- **Suspicious:** Request has been challenged with a [Cloudflare challenge](/fundamentals/security/cloudflare-challenges/). +- **Suspicious:** Request has been challenged with a [Cloudflare challenge](/cloudflare-challenges/). - **Bad:** Request has been blocked because our Browser Integrity Check, or because of user configured settings like WAF rules or IP Access rules. In addition to threat analytics you can also monitor search engine crawlers going to your websites. For most websites, threats and crawlers make up 20% to 50% of traffic. diff --git a/src/content/docs/bots/additional-configurations/detection-ids.mdx b/src/content/docs/bots/additional-configurations/detection-ids.mdx index d7f9686da74a17e..3f2617cf905ef30 100644 --- a/src/content/docs/bots/additional-configurations/detection-ids.mdx +++ b/src/content/docs/bots/additional-configurations/detection-ids.mdx @@ -88,7 +88,7 @@ and not any(cf.bot_management.detection_ids[*] in {3355446 12577893}) ### Challenges for account takeover detections -Cloudflare's [Managed Challenge](/fundamentals/security/cloudflare-challenges/) can limit brute-force attacks on your login endpoints. +Cloudflare's [Managed Challenge](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended) can limit brute-force attacks on your login endpoints. To access account takeover detections: diff --git a/src/content/docs/bots/get-started/bot-management.mdx b/src/content/docs/bots/get-started/bot-management.mdx index 325b9cb5b20bb33..6d55c166207f6cd 100644 --- a/src/content/docs/bots/get-started/bot-management.mdx +++ b/src/content/docs/bots/get-started/bot-management.mdx @@ -69,7 +69,7 @@ Cloudflare has [default templates](https://dash.cloudflare.com/?to=/:account/:zo (cf.bot_management.score ge 2 and cf.bot_management.score le 29 and not cf.bot_management.verified_bot and not cf.bot_management.static_resource) ``` -- (Optional) [JavaScript detections template](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules/custom-rules/create?template=JavaScript%20Verified%20URLs): If you enabled JavaScript detections, then set up a [managed challenge](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended), make sure to add a method and URI path. JavaScript detections improves security for URLs that should only expect JavaScript-enabled clients. +- (Optional) [JavaScript detections template](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules/custom-rules/create?template=JavaScript%20Verified%20URLs): If you enabled JavaScript detections, then set up a [managed challenge](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended), make sure to add a method and URI path. JavaScript detections improves security for URLs that should only expect JavaScript-enabled clients. ```txt wrap (not cf.bot_management.js_detection.passed and http.request.method eq "" and http.request.uri.path in {""}) diff --git a/src/content/docs/bots/troubleshooting/frequently-asked-questions.mdx b/src/content/docs/bots/troubleshooting/frequently-asked-questions.mdx index 624413e94ba5039..f86d7682e500b3e 100644 --- a/src/content/docs/bots/troubleshooting/frequently-asked-questions.mdx +++ b/src/content/docs/bots/troubleshooting/frequently-asked-questions.mdx @@ -59,7 +59,7 @@ Cloudflare uses data from millions of requests and re-train the system on a peri When you choose to challenge different bot categories with Bot Fight Mode or Super Bot Fight Mode, you will see Security Events with an **Action Taken** of **Managed Challenge**. -You may also see Managed Challenge due to a triggered [WAF custom rule](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended). +You may also see Managed Challenge due to a triggered [WAF custom rule](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended). This does not mean that your traffic was blocked. It is the challenge sent to your user to determine whether they are likely human or likely bot. diff --git a/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages.mdx b/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages.mdx new file mode 100644 index 000000000000000..517f3825f7d4466 --- /dev/null +++ b/src/content/docs/cloudflare-challenges/challenge-types/challenge-pages.mdx @@ -0,0 +1,127 @@ +--- +pcx_content_type: concept +title: Challenge pages +sidebar: + order: 1 +--- + +The types of available challenge pages function similarly. The main difference between the challenges are when and if an interaction is presented to the visitor. + +- Managed challenges will rarely present the visitor with an interactive challenge, except in cases where Cloudflare cannot verify the legitimacy of the visitor. +- JavaScript challenges never present the visitor with an interactive challenge. +- Interactive challenges present the visitor with a simple and solvable challenge, such as selecting a checkbox, to verify their legitimacy. + +Refer to the information below for more details on available challenges. + +## Available challenges + +### Managed challenge (recommended) + +Managed challenges are where Cloudflare dynamically chooses the appropriate type of challenge based on the characteristics of a request. This helps avoid [CAPTCHAs](https://www.cloudflare.com/learning/bots/how-captchas-work/), which also reduces the lifetimes of human time spent solving CAPTCHAs across the Internet. + +Unless there are specific compatibility issues or other reasons to use other types of challenges, you should use managed challenges for your various custom rules. + +:::caution +Using Cloudflare challenges along with Rules features may cause challenge loops. Refer to [Rules troubleshooting](/rules/reference/troubleshooting/) for more information. +::: + +### JavaScript challenge + +With a JavaScript (JS) challenge, Cloudflare presents a challenge page that requires no interaction from a visitor except the JavaScript processed by their browser. + +The visitor must wait until their browser finishes processing the JavaScript, which should be less than five seconds. + +### Interactive challenge + +Interactive challenges require a visitor to interact with the interstitial challenge page, presenting the visitor with an interactive challenge to solve. Cloudflare does not recommend using Interactive Challenges. +For more on why Cloudflare does not recommend using Interactive Challenge, in favor of Managed Challenge, refer to our [blog post](https://blog.cloudflare.com/end-cloudflare-captcha/). + +--- + +## Detect a challenge page response + +When a request encounters a Cloudflare challenge page instead of the originally anticipated response, the challenge page response (regardless of the challenge page type) will have the `cf-mitigated` header present and set to `challenge`. This header can be leveraged to detect if a response was challenged when making fetch/XHR requests. This header provides a reliable way to identify whether a response is a challenge or not, enabling a web application to take appropriate action based on the result. For example, a front-end application encountering a response from the backend may check the presence of this header value to handle cases where challenge pages encountered unexpectedly. + +:::note +Regardless of the requested resource-type, the content-type of a challenge will be `text/html`. +::: + +For the `cf-mitigated` header, `challenge` is the only valid value. The header is set for all challenge page types. + +To illustrate, here is a JavaScript code snippet that demonstrates how to use the `cf-mitigated` header to detect whether a response was challenged: + +```js +fetch("/my-api-endpoint").then((response) => { + if (response.headers.get("cf-mitigated") === "challenge") { + // Handle challenged response + } else { + // Process response as usual + } +}); +``` + +For additional help, refer to our [FAQ](/cloudflare-challenges/troubleshooting/frequently-asked-questions/). + +--- + +## Resolve a challenge + +If a visitor encounters a challenge, Cloudflare employees cannot remove that challenge. Only the website owner can configure their Cloudflare settings to stop the challenge being presented. + +When observing a Cloudflare Challenge page, a visitor could: + +- Successfully pass the challenge to visit the website. +- Request the website owner to allow their IP address. +- Scan their computer for malicious programs (it may be infected). +- Check their antivirus or firewall service to make sure it is not blocking access to the challenge resources (for example, images). + +:::note +Visitors must enable JavaScript and cookies on their browser to be able to pass any type of challenge. +::: + +--- + +## Challenge Passage + +When a visitor solves a [Cloudflare challenge](/cloudflare-challenges/) - as part of a [WAF custom rule](/waf/custom-rules/) or [IP Access rule](/waf/tools/ip-access-rules/) - you can set the **Challenge Passage** to prevent them from having to solve future challenges for a specified period of time. + +### How it works + +When a visitor successfully solves a challenge, Cloudflare sets a [`cf_clearance` cookie](/fundamentals/reference/policies-compliances/cloudflare-cookies/#additional-cookies-used-by-the-challenge-platform) in their browser. This cookie specifies the duration your website is accessible to that visitor. + +When that visitor tries to access other parts of your website, Cloudflare evaluates the cookie before presenting another challenge. If the cookie is still valid, no challenges will be shown. + +When Cloudflare evaluates a `cf_clearance` cookie, a few extra minutes are included to account for clock skew. For XmlHTTP requests, an extra hour is added to the validation time to prevent breaking XmlHTTP requests for pages that set short lifetimes. + +### Customize the Challenge Passage + +By default, the `cf_clearance` cookie has a lifetime of 30 minutes. Cloudflare recommends a setting between 15 and 45 minutes. + +To update the Challenge Passage (and the value of the `cf_clearance` cookie): + +1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com). +2. Select your account and domain. +3. Go to **Security** > **Settings**. +4. For **Challenge Passage**, select a duration. + +### Limitations + +The Challenge Passage does not apply to challenges issued by WAF managed rules. Also, Challenge Passage does not apply to rate limiting rules unless the rate limit is configured to issue a challenge. + +--- + +## Additional configuration + +### Multi-language support + +Refer to [supported languages](/cloudflare-challenges/reference/supported-languages/) for more information. + +### Favicon customization + +Cloudflare challenges take the favicon of your website using `GET /favicon.ico` and displays it on the challenge page. + +You can customize your favicon by using the HTML snippet below. + +```html title="HTML element" + +``` \ No newline at end of file diff --git a/src/content/docs/cloudflare-challenges/challenge-types/index.mdx b/src/content/docs/cloudflare-challenges/challenge-types/index.mdx new file mode 100644 index 000000000000000..61848197b75f28f --- /dev/null +++ b/src/content/docs/cloudflare-challenges/challenge-types/index.mdx @@ -0,0 +1,12 @@ +--- +pcx_content_type: navigation +title: Challenge types +sidebar: + order: 3 + group: + hideIndex: true +--- + +import { DirectoryListing } from "~/components" + + \ No newline at end of file diff --git a/src/content/docs/cloudflare-challenges/challenge-types/javascript-detections.mdx b/src/content/docs/cloudflare-challenges/challenge-types/javascript-detections.mdx new file mode 100644 index 000000000000000..089a73e98fb21ac --- /dev/null +++ b/src/content/docs/cloudflare-challenges/challenge-types/javascript-detections.mdx @@ -0,0 +1,7 @@ +--- +pcx_content_type: concept +title: JavaScript detections +external_link: /bots/additional-configurations/javascript-detections/ +sidebar: + order: 2 +--- \ No newline at end of file diff --git a/src/content/docs/cloudflare-challenges/concepts/how-challenges-work.mdx b/src/content/docs/cloudflare-challenges/concepts/how-challenges-work.mdx new file mode 100644 index 000000000000000..b24d2ce9a8b5869 --- /dev/null +++ b/src/content/docs/cloudflare-challenges/concepts/how-challenges-work.mdx @@ -0,0 +1,54 @@ +--- +pcx_content_type: concept +title: How challenges work +sidebar: + order: 1 +--- + +Challenges can be issued in three primary ways depending on which Cloudflare products or features are in use. Each method is designed to balance security with seamless visitor experience. + +| Product | Challenge type(s) | +| --- | --- | +| [WAF](/waf/) ([custom rules](/waf/custom-rules/), [rate limiting rules](/waf/rate-limiting-rules/), [IP access rules](/waf/tools/ip-access-rules/)) | [Interstitial challenge page](#interstitial-challenge-pages) | +| [Bot Management](/bots/get-started/bot-management/) | [JavaScript detection](/bots/additional-configurations/javascript-detections/) | +| [Bot Fight Mode](/bots/get-started/bot-fight-mode/), [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/) | [Interstitial challenge page](#interstitial-challenge-pages) | +| [Turnstile](/turnstile/) | Embedded widget | +| [HTTP DDoS attack protection](/ddos-protection/managed-rulesets/http/) | Any challenge | +| [Under Attack Mode](/fundamentals/reference/under-attack-mode/) | [Managed challenge](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended) | + +### Turnstile + +[Turnstile](/turnstile/) is Cloudflare’s CAPTCHA-alternative solution. You can embed Turnstile as a widget on your site, where it runs a challenge directly in the visitor’s browser. + +Turnstile does not pause the request or interrupt the user’s experience. Instead, the widget runs a client-side challenge in the background. In most cases, nothing further is required from the visitor. When needed, Turnstile may display a simple checkbox that the visitor must click to proceed. + +After the challenge passes, Turnstile issues a token that you must validate using the [siteverify API](/turnstile/get-started/server-side-validation/) before completing a sensitive action like login, sign up, or other form submissions. + +### Interstitial challenge pages + +When a challenge is triggered by a rule in the [Web Application Firewall (WAF)](/waf/), [Bot Management](/bots/), or [Rate Limiting](/waf/rate-limiting-rules/), Cloudflare presents a full-page interstitial challenge page. The request is paused while Cloudflare evaluates the browser environment. In some cases, the visitor may be asked to check a box for further probing. + +If the challenge passes, the original request continues to your origin. If the challenge fails or cannot be completed, the visitor is presented with another interstitial challenge page. + +### JavaScript detection in Bot Management + +In Bot Management, [JavaScript detections](/bots/additional-configurations/javascript-detections/) run silently in the browser to validate that the visitor supports and executes standard browser JavaScript, and provides a lightweight and privacy-preserving way to distinguish between bots and real users without adding friction to the experience. + +:::note +If the check fails, the bot score is set to 1. +::: + +The script runs a short set of tasks and, if successful, sets a `cf_clearance` cookie indicating that the visitor passed the check. This is exposed as the `cf.bot_management.js_detection.passed` field that you can use in [WAF custom rules](/waf/custom-rules/) to take further action — such as issuing an interstitial challenge page. + +If a visitor was unable to run JavaScript detection, the `cf.bot_management.js_detection.passed` field is set to `False`. Cloudflare advises that you should never block a request based on this field unless you are certain that the visitor has run JavaScript detections. + +--- + +## Limitations + +Cloudflare challenges cannot support the following: + +- [Browser extensions](#browser-extensions) that modify the browser's `User-Agent` value or Web APIs such as `Canvas` and `WebGL`. +- Implementations where a domain serves a challenge page originally requested for another domain. +- Challenge pages cannot be embedded in cross-origin iframes. +- Client software where the solve request of a Managed Challenge comes from a different IP than the original IP a challenge request was issued to. For example, if you receive the challenge from one IP and solve it using another IP, the solve is not valid and you may encounter a challenge loop. \ No newline at end of file diff --git a/src/content/docs/cloudflare-challenges/concepts/index.mdx b/src/content/docs/cloudflare-challenges/concepts/index.mdx new file mode 100644 index 000000000000000..8f941ee199fa0c1 --- /dev/null +++ b/src/content/docs/cloudflare-challenges/concepts/index.mdx @@ -0,0 +1,9 @@ +--- +pcx_content_type: navigation +title: Concepts +sidebar: + order: 2 + label: About + group: + hideIndex: true +--- \ No newline at end of file diff --git a/src/content/docs/cloudflare-challenges/index.mdx b/src/content/docs/cloudflare-challenges/index.mdx new file mode 100644 index 000000000000000..0eb1492d0cc570d --- /dev/null +++ b/src/content/docs/cloudflare-challenges/index.mdx @@ -0,0 +1,40 @@ +--- +pcx_content_type: concept +title: Challenges +sidebar: + order: 1 +--- + +import { Render, Description, Plan, RelatedProduct } from "~/components"; + + +Challenges are security mechanisms used by Cloudflare to verify whether a visitor to your site is a real human and not a bot or automated script. + + + + +When a challenge is issued, Cloudflare asks the browser to perform a series of checks that help confirm the visitor’s legitimacy. This process involves evaluating client side signals or asking a visitor to take minimal action such as checking a box. Challenges are designed to protect your application without introducing unnecessary friction. Most visitors will pass challenges automatically without interaction. + +Cloudflare does not use CAPTCHA puzzles or visual tests like selecting objects or typing distorted characters. All challenge types are lightweight, privacy-preserving, and optimized for real-world traffic. + +--- + +## Related products + + + Use Cloudflare's smart CAPTCHA alternative to run less intrusive challenges. + + + + Cloudflare bot solutions identify and mitigate automated traffic to protect + your domain from bad bots. + + + + Get automatic protection from vulnerabilities and the flexibility to create + custom rules. + + + + Detect and mitigate Distributed Denial of Service (DDoS) attacks using Cloudflare's Autonomous Edge. + \ No newline at end of file diff --git a/src/content/docs/fundamentals/security/cloudflare-challenges/challenge-solve-rate.mdx b/src/content/docs/cloudflare-challenges/reference/challenge-solve-rate.mdx similarity index 78% rename from src/content/docs/fundamentals/security/cloudflare-challenges/challenge-solve-rate.mdx rename to src/content/docs/cloudflare-challenges/reference/challenge-solve-rate.mdx index c13dfe4657ebaf8..7cd631c99d697b9 100644 --- a/src/content/docs/fundamentals/security/cloudflare-challenges/challenge-solve-rate.mdx +++ b/src/content/docs/cloudflare-challenges/reference/challenge-solve-rate.mdx @@ -1,14 +1,13 @@ --- -pcx_content_type: concept +pcx_content_type: reference title: Challenge solve rate (CSR) sidebar: - order: 3 - + order: 1 --- import { Render } from "~/components" - + You can find the CSR of a rule by going to its corresponding dashboard page: diff --git a/src/content/docs/cloudflare-challenges/reference/index.mdx b/src/content/docs/cloudflare-challenges/reference/index.mdx new file mode 100644 index 000000000000000..4c4cd80f6e02121 --- /dev/null +++ b/src/content/docs/cloudflare-challenges/reference/index.mdx @@ -0,0 +1,12 @@ +--- +pcx_content_type: navigation +title: Reference +sidebar: + order: 4 + group: + hideIndex: true +--- + +import { DirectoryListing } from "~/components" + + \ No newline at end of file diff --git a/src/content/docs/cloudflare-challenges/reference/private-access-tokens.mdx b/src/content/docs/cloudflare-challenges/reference/private-access-tokens.mdx new file mode 100644 index 000000000000000..fd99a983675e539 --- /dev/null +++ b/src/content/docs/cloudflare-challenges/reference/private-access-tokens.mdx @@ -0,0 +1,12 @@ +--- +pcx_content_type: reference +title: Private Access Tokens (PAT) +sidebar: + order: 4 +--- + +When a user is presented with a challenge page, Cloudflare decides what challenges need to be solved to prove they are human using results from the Private Access Token (PAT). If a user presents a token, they will have an easier time solving the challenge. + +While some challenges are computationally complex or require interactivity, most of the challenges served are invisible to the user. + +The challenge page is an interstitial page and users will see it regardless of having a valid PAT or not. A PAT does not automatically solve a challenge. It prevents certain challenges from being issued. \ No newline at end of file diff --git a/src/content/docs/cloudflare-challenges/reference/supported-browsers.mdx b/src/content/docs/cloudflare-challenges/reference/supported-browsers.mdx new file mode 100644 index 000000000000000..c7d2f276031fa9c --- /dev/null +++ b/src/content/docs/cloudflare-challenges/reference/supported-browsers.mdx @@ -0,0 +1,63 @@ +--- +pcx_content_type: reference +title: Supported browsers +sidebar: + order: 2 +--- + +When your application sends a challenge, your visitors either receive a non-interactive or an interactive challenge page. + +Cloudflare Challenges are most compatible with major desktop and mobile browsers and applications. If your visitors are using an up-to-date version of a major browser, they will receive the challenge correctly. + +Officially supported browsers include: + +- Google Chrome (desktop and mobile) +- Firefox +- Safari (desktop and mobile) +- Microsoft Edge + + +:::caution +Challenges are not supported by Microsoft Internet Explorer. +::: + +:::note +Other browsers that are not listed above are supported on a best-effort basis. +::: + +If your visitors encounter issues using a major browser besides Internet Explorer, they should upgrade their browser. + +## Testing + +Cloudflare runs tests against the following browsers and its latest versions: + +- Chrome on Windows +- Safari on Mac OS +- Safari on iOS +- Microsoft Edge +- Android browser for Samsung + +Cloudflare runs webview specific tests against the following browsers: + +- Flutter +- Android webview + +Cloudflare runs tests to monitor the following browsers every few hours: + +- Latest versions of Chrome, Microsoft Edge, and Firefox +- Latest beta versions of Chrome, Microsoft Edge, and Firefox +- Latest versions of Safari for Mac OS +- Android browser for Samsung +- Safari on iOS + +## Limitations + +### Browser extensions + +If you have browser extensions, they might lead to unpassable challenge loops. To fix this issue, disable your extensions and reload the page. + +Refer to [Challenge solve issues](/cloudflare-challenges/troubleshooting/challenge-solve-issues/) for more troubleshooting information. + +### Mobile device emulation + +Challenges are not supported when device emulation is enabled on a browser, for example, using the browser's developer tools. \ No newline at end of file diff --git a/src/content/docs/cloudflare-challenges/reference/supported-languages.mdx b/src/content/docs/cloudflare-challenges/reference/supported-languages.mdx new file mode 100644 index 000000000000000..678dab2c576a4a3 --- /dev/null +++ b/src/content/docs/cloudflare-challenges/reference/supported-languages.mdx @@ -0,0 +1,36 @@ +--- +pcx_content_type: reference +title: Supported languages +sidebar: + order: 5 +--- + +## Multi-language support + +Cloudflare's challenges can detect multiple languages and display the localized challenge experience, which is determined by `navigator.language` value. The [Navigator.language read-only property](https://developer.mozilla.org/en-US/docs/Web/API/Navigator/language) returns a string representing the preferred language of the user, usually the language of the browser user interface. + +Refer to the table below for currently supported languages. + +| Language | Language code
(4 letters) | Language code
(2 letters) | +| -------------------------------- | ----------------------------- | ----------------------------- | +| Arabic (Egypt) | `ar-eg` | `ar` | +| Chinese (Simplified, China) | `zh-cn` | `zh` | +| Chinese (Traditional, Taiwan) | `zh-tw` | -- | +| Dutch (Netherlands) | `nl-nl` | `nl` | +| English (United States) | `en-us` | `en` | +| French (France) | `fr-fr` | `fr` | +| German (Germany) | `de-de` | `de` | +| Indonesian (Indonesia) | `id-id` | `id` | +| Italian (Italy) | `it-it` | `it` | +| Japanese (Japan) | `ja-jp` | `ja` | +| Korean (Korea) | `ko-kr` | `ko` | +| Persian | -- | `fa` +| Polish (Poland) | `pl-pl` | `pl` | +| Portuguese (Brazil) | `pt-br` | `pt` | +| Russian (Russia) | `ru-ru` | `ru` | +| Spanish (Spain) | `es-es` | `es` | +| Turkish (Turkey) | `tr-tr` | `tr` | + +### Turnstile language support + +For language support specific to Turnstile, refer to the [Turnstile documentation](/turnstile/reference/supported-languages/). \ No newline at end of file diff --git a/src/content/docs/fundamentals/security/cloudflare-challenges/challenge-solve-issues.mdx b/src/content/docs/cloudflare-challenges/troubleshooting/challenge-solve-issues.mdx similarity index 100% rename from src/content/docs/fundamentals/security/cloudflare-challenges/challenge-solve-issues.mdx rename to src/content/docs/cloudflare-challenges/troubleshooting/challenge-solve-issues.mdx diff --git a/src/content/docs/cloudflare-challenges/troubleshooting/frequently-asked-questions.mdx b/src/content/docs/cloudflare-challenges/troubleshooting/frequently-asked-questions.mdx new file mode 100644 index 000000000000000..b98746cf7fff1de --- /dev/null +++ b/src/content/docs/cloudflare-challenges/troubleshooting/frequently-asked-questions.mdx @@ -0,0 +1,117 @@ +--- +title: FAQ +pcx_content_type: faq +sidebar: + order: 2 +--- + +## Why am I being challenged on a Cloudflare-protected site? + +Cloudflare issues challenges to website visitors to protect against malicious activity such as bot attacks and DDoS attacks. Key reasons include: + +- **High threat score**: IP addresses with a high-risk score trigger challenges. +- **IP reputation**: If your IP has a history of suspicious activity, it may be flagged. +- **Bot detection**: Automated traffic resembling bots is filtered by Cloudflare. +- **Web Application Firewall (WAF) custom rules**: Site owners may set rules targeting specific regions or user agents. +- **Browser Integrity Check**: Cloudflare verifies that browsers meet certain standards. +- **Challenge Passage**: Technologies like Privacy Pass reduce the frequency of repeated challenges. + +To avoid repeated challenges, ensure your browser is up to date, disable any privacy tools that might block standard browser headers, or use a different network connection if your current one has a poor IP reputation. + +## How do I exclude certain requests from being blocked or challenged? + +In certain situations you want to enforce a blocking or challenging action but make an exception for specific types of requests. + +Cloudflare supports two methods of allowing requests using WAF custom rules: + +- Exclude a type of request from being blocked or challenged in a custom rule by updating the rule expression, for example adding an exclusion based on IP address, ASN, or country. +- Create a separate custom rule with a [_Skip_ action](/waf/custom-rules/skip/). This skip rule must appear before the rule with the block/challenge action in the rules list. + +The examples below illustrate a few possible approaches. + +**Example 1** + +Exclude multiple IP addresses from a blocking/challenging rule that assesses attack score. + +- Basic rule, no exclusion: + + - **Expression**: `(http.host eq "example.com" and cf.waf.score lt 20)` + - **Action**: Block (or a challenge action) + +- Rule that excludes IP addresses from being blocked/challenged: + + - **Expression**: `(http.host eq "example.com" and cf.waf.score lt 20) and not (ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24})` + - **Action**: Block (or a challenge action) + +- Two rules to skip remaining custom rules for specific IPs and block the rest. + + 1. Rule 1: + + - Expression: `ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24}` + - Action: Skip > All remaining custom rules + + 2. Rule 2: + + - Expression: `(http.host eq "example.com" and cf.waf.score lt 20)` + - Action: Block (or a challenge action) + +**Example 2** + +Block Amazon Web Services (AWS) and Google Cloud Platform (GCP) because of large volumes of undesired traffic, but allow Googlebot and other known bots that Cloudflare validates. + +- Basic rule, no exclusion: + + - **Expression**: `(ip.src.asnum in {16509 15169} and not cf.client.bot)` + - **Action**: Block (or a challenge action) + +- Rule that excludes IP addresses from being blocked/challenged: + + - **Expression**: `(ip.src.asnum in {16509 15169} and not cf.client.bot) and not (ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24})` + - **Action**: Block (or a challenge action) + +- Two rules to skip remaining custom rules for specific IPs and block the rest. + + 1. Rule 1: + + - Expression: `ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24}` + - Action: Skip > All remaining custom rules + + 2. Rule 2: + + - Expression: `(ip.src.asnum in {16509 15169} and not cf.client.bot)` + - Action: Block (or a challenge action) + +## Do the Challenge actions support content types other than HTML (for example, AJAX or XHR requests)? + +Previously, unless you customize your front-end application, any AJAX request that is challenged will fail because AJAX calls are not rendered in the DOM. + +Now, you can [opt-in to Turnstile’s Pre-Clearance cookies](/turnstile/concepts/pre-clearance-support/). This allows you to issue a challenge early in your web application flow and pre-clear users to interact with sensitive APIs. Clearance cookies issued by a Turnstile widget are automatically applied to the Cloudflare zone that the Turnstile widget is embedded on, with no configuration necessary. The duration of the clearance cookie’s validity is controlled by the zone-specific configurable [Challenge Passage](/cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage) security setting. + +## Why would I not find any failed challenges? + +Users do not complete all challenges. Cloudflare issues challenges that are never answered — only 2-3% of all served challenges are usually answered. + +There are multiple reasons for this: + +- Users give up on a challenge. +- Users try to solve a challenge but cannot provide an answer. +- Users keep refreshing the challenge, but never submit an answer. +- Cloudflare receives a malformed challenge answer. + +You can calculated the number of failed challenges as follows: `number of challenges issued - number of challenges solved`. + +## Why do I have matches for a firewall rule that was not supposed to match the request? + +Make sure you are looking at the correct request. + +Only requests that triggered a challenge will match the request parameters of the rule. Subsequent requests with a `[js]challengeSolved` action may not match the parameters of the rule — for example, the bot score may have changed because the user solved a challenge. + +The "solved" action is an informative action about a previous request that matched a rule. This action states that "previously a rule had matched a request with the action set to _Interactive Challenge_ or _JS Challenge_ and now that challenge was answered." + +## Are custom Content Security Policies (CSP) or custom error pages supported? + +You cannot set your own Content Security Policy (CSP) and/or Referer-Policy via meta tags or [Transform Rules](/rules/transform/) in challenge pages. + +Origin headers also cannot be modified for challenge pages. + +If you are setting any of these headers using Transform Rules for your entire website, you must prefix the rule with `not (starts_with(http.request.uri.path, "/cdn-cgi/challenge-platform/") or cf.response.error_type in {"managed_challenge" "iuam" "legacy_challenge" "country_challenge"})` in the rule expression to avoid issues with challenges. \ No newline at end of file diff --git a/src/content/docs/cloudflare-challenges/troubleshooting/index.mdx b/src/content/docs/cloudflare-challenges/troubleshooting/index.mdx new file mode 100644 index 000000000000000..0cbac9c0ab83d97 --- /dev/null +++ b/src/content/docs/cloudflare-challenges/troubleshooting/index.mdx @@ -0,0 +1,30 @@ +--- +pcx_content_type: troubleshooting +title: Troubleshooting +sidebar: + order: 5 + label: Common issues +--- + +import { Render } from "~/components" + +## Common issues + +### Proxied hostnames + + + + +### Deprecated browser support + +Challenges are not supported by Microsoft Internet Explorer. If you are currently using Internet Explorer, try using another modern web browser (Chrome, Safari, Firefox). If you are already using a modern web browser, make sure it is using the latest version. + +### Referer header + +When a request is sent with a referer header, the user will receive a challenge page as a response. Upon solving the challenge page, the request with the referer is sent to the origin, and the response to the request is served to the user. The JavaScript on the response page may read the value of `document.referer`, but it will be inaccurate. This affects tools such as Google Analytics, which reads the referer from JavaScript. + +You can add tracking scripts to challenge pages to capture the correct referer header on the initial request. + +### Cross-origin resource sharing (CORS) preflight requests + +Cross-origin resource sharing (CORS) preflight requests, or `OPTIONS`, exclude user credentials that include cookies. As a result, the `cf_clearance` cookie will not be sent with the request, causing it to fail to bypass a challenge page (non-interactive, managed, or interactive challenge). \ No newline at end of file diff --git a/src/content/docs/ddos-protection/managed-rulesets/adaptive-protection.mdx b/src/content/docs/ddos-protection/managed-rulesets/adaptive-protection.mdx index ef59ef0957d44cf..71c419828443969 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/adaptive-protection.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/adaptive-protection.mdx @@ -78,7 +78,7 @@ You may not see any traffic matching the adaptive rules. This can be because the If you do see traffic that was _Logged_ by the adaptive rules, use the dashboard to determine if the traffic matches the characteristics of legitimate users or that of attack traffic. As each Internet property is unique, understanding if the traffic is legitimate requires your understanding of how your legitimate traffic looks. For example, the user agent, source country, headers, query string for HTTP requests, and protocols and ports for L3/4 traffic. -- In cases where you are certain that the rule is only flagging attack traffic, you should consider creating an override and enabling that rule with a [Managed Challenge](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended) or `Block` action. +- In cases where you are certain that the rule is only flagging attack traffic, you should consider creating an override and enabling that rule with a [Managed Challenge](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended) or `Block` action. - In cases where you see legitimate traffic being flagged, you should lower the sensitivity level of the rule and observe the flagged traffic. You can continue reducing the sensitivity level until you reach a point where legitimate traffic is not flagged. Then, you should create an override to enable the rule with a mitigation action. - If the rule is still flagging legitimate traffic you can consider using the expression filters to condition the rules to exclude certain types of traffic. diff --git a/src/content/docs/ddos-protection/managed-rulesets/http/override-parameters.mdx b/src/content/docs/ddos-protection/managed-rulesets/http/override-parameters.mdx index 51b68755cb21b27..226bd167437298f 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/http/override-parameters.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/http/override-parameters.mdx @@ -30,7 +30,7 @@ The action that will be performed for requests that match specific rules of Clou - **Managed Challenge** - API value: `"managed_challenge"`. - - [Managed Challenges](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended) help reduce the lifetimes of human time spent solving Captchas across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria. + - [Managed Challenges](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended) help reduce the lifetimes of human time spent solving Captchas across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria. - **Interactive Challenge** - API value: `"challenge"`. diff --git a/src/content/docs/fundamentals/reference/under-attack-mode.mdx b/src/content/docs/fundamentals/reference/under-attack-mode.mdx index db9005e86bfb5a2..21ebd2eecfc8ba1 100644 --- a/src/content/docs/fundamentals/reference/under-attack-mode.mdx +++ b/src/content/docs/fundamentals/reference/under-attack-mode.mdx @@ -58,7 +58,7 @@ To preview what Under Attack mode looks like for your visitors: 4. Go to **Custom Pages**. 5. For **Managed Challenge / I'm Under Attack Mode™**, select **Custom Pages** > **View default**. -The `Checking your browser before accessing...` challenge determines whether to block or allow a visitor within five seconds. After passing the challenge, the visitor does not observe another challenge until the duration configured in [Challenge Passage](/fundamentals/security/cloudflare-challenges/challenge-passage/). +The `Checking your browser before accessing...` challenge determines whether to block or allow a visitor within five seconds. After passing the challenge, the visitor does not observe another challenge until the duration configured in [Challenge Passage](/cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage). --- diff --git a/src/content/docs/fundamentals/security/cloudflare-challenges/challenge-passage.mdx b/src/content/docs/fundamentals/security/cloudflare-challenges/challenge-passage.mdx deleted file mode 100644 index bf57b9b0f622cf5..000000000000000 --- a/src/content/docs/fundamentals/security/cloudflare-challenges/challenge-passage.mdx +++ /dev/null @@ -1,31 +0,0 @@ ---- -pcx_content_type: reference -title: Challenge Passage -sidebar: - order: 2 ---- - -When a visitor solves a [Cloudflare challenge](/fundamentals/security/cloudflare-challenges/) - as part of a [WAF custom rule](/waf/custom-rules/) or [IP Access rule](/waf/tools/ip-access-rules/) - you can set the **Challenge Passage** to prevent them from having to solve future challenges for a specified period of time. - -## How it works - -When a visitor successfully solves a challenge, Cloudflare sets a [`cf_clearance` cookie](/fundamentals/reference/policies-compliances/cloudflare-cookies/#additional-cookies-used-by-the-challenge-platform) in their browser. This cookie specifies the duration your website is accessible to that visitor. - -When that visitor tries to access other parts of your website, Cloudflare evaluates the cookie before presenting another challenge. If the cookie is still valid, no challenges will be shown. - -When Cloudflare evaluates a `cf_clearance` cookie, a few extra minutes are included to account for clock skew. For XmlHTTP requests, an extra hour is added to the validation time to prevent breaking XmlHTTP requests for pages that set short lifetimes. - -## Customize the Challenge Passage - -By default, the `cf_clearance` cookie has a lifetime of 30 minutes. Cloudflare recommends a setting between 15 and 45 minutes. - -To update the Challenge Passage (and the value of the `cf_clearance` cookie): - -1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com). -2. Select your account and domain. -3. Go to **Security** > **Settings**. -4. For **Challenge Passage**, select a duration. - -## Limitations - -The Challenge Passage does not apply to challenges issued by WAF managed rules. Also, Challenge Passage does not apply to rate limiting rules unless the rate limit is configured to issue a challenge. diff --git a/src/content/docs/fundamentals/security/cloudflare-challenges/index.mdx b/src/content/docs/fundamentals/security/cloudflare-challenges/index.mdx deleted file mode 100644 index 1a45050f6f76740..000000000000000 --- a/src/content/docs/fundamentals/security/cloudflare-challenges/index.mdx +++ /dev/null @@ -1,204 +0,0 @@ ---- -pcx_content_type: concept -title: Challenges -sidebar: - order: 3 ---- - -import { Render } from "~/components"; - -When a website is protected by Cloudflare, there are several occasions when it will challenge visitor traffic: - -- The visitor's IP address has shown suspicious behavior online (as tracked by [Project Honeypot](http://www.projecthoneypot.org/search_ip.php)). -- The website owner has blocked the country associated with the visitor's IP address. -- The visitor's actions have activated a [WAF custom rule](/waf/custom-rules/) enabled by the website owner. - -If the visitor passes the challenge, their request is allowed. If they fail, the request will be blocked. - ---- - -## Available challenges - -### Managed challenge (recommended) - -Managed challenges are where Cloudflare dynamically chooses the appropriate type of challenge based on the characteristics of a request. This helps avoid [CAPTCHAs](https://www.cloudflare.com/learning/bots/how-captchas-work/), which also reduces the lifetimes of human time spent solving CAPTCHAs across the Internet. - -Unless there are specific compatibility issues or other reasons to use other types of challenges, you should use managed challenges for your various custom rules. - -Depending on the characteristics of a request, Cloudflare will choose an appropriate type of challenge, which may include but is not limited to: - -- A non-interactive challenge page (similar to the current [JS Challenge](#javascript-js-challenge)). -- A custom interactive challenge (such as click a button). -- [Private Access Tokens](#private-access-tokens) (using recent Apple operating systems). - - - -#### Available products - -Currently, **Managed Challenge** actions are available in the following security products: - -- [WAF custom rules](/waf/custom-rules/) -- [Rate limiting rules](/waf/rate-limiting-rules/) -- [WAF Managed Rules](/waf/managed-rules/) -- [Bot Fight Mode](/bots/get-started/bot-fight-mode/): You may also see Security Events with an **Action taken** of **Managed Challenge** due to [Cloudflare bot products](/bots/troubleshooting/#why-am-i-seeing-a-managed-challenge-action-for-waf-rules). -- [HTTP DDoS Attack Protection](/ddos-protection/managed-rulesets/http/) -- [IP Access Rules](/waf/tools/ip-access-rules/) -- [User Agent Blocking](/waf/tools/user-agent-blocking/) -- [Firewall rules](/firewall/) (deprecated) -- [Rate Limiting (previous version, deprecated)](/waf/reference/legacy/old-rate-limiting/) -- [Turnstile](/turnstile/concepts/widget/#managed-recommended) - -### JavaScript (JS) challenge - -With a JavaScript (JS) challenge, Cloudflare presents challenge page that requires no interaction from a visitor, but rather JavaScript processing by their browser. - -The visitor will have to wait until their browser finishes processing the JavaScript, which should be less than five seconds. - -### Interactive challenge - -Interactive challenges require a visitor to interact with the challenge page, presenting the visitor with an interactive challenge to solve. Cloudflare does not recommend using interactive challenges. - -For more on why Cloudflare does not recommend using Interactive Challenge, in favor of Managed Challenge, refer to our [blog](https://blog.cloudflare.com/end-cloudflare-captcha/). - ---- - -## Browser support - -When your application sends a challenge, your visitors either receive a non-interactive or an interactive challenge page. - -### Supported browsers - -If your visitors are using an up-to-date version of a major browser — such as Chrome, Firefox, Safari, Microsoft Edge, Chrome and Safari on mobile — they will receive the challenge correctly. - -Challenges are not supported by Microsoft Internet Explorer. - -If your visitors encounter issues using a major browser besides Internet Explorer, they should upgrade their browser. - -### Browser extensions - -If you have browser extensions, they might lead to unpassable challenge loops. To fix, disable your extensions and reload the page. - -### Mobile device emulation - -Challenges are not supported when device emulation is enabled on a browser, for example, using the browser's developer tools. - ---- - -## Resolve a challenge - -If a visitor encounters a challenge, Cloudflare employees cannot remove that challenge. Only the website owner can configure their Cloudflare settings to stop the challenge being presented. - -When observing a Cloudflare Challenge page, a visitor could: - -- Successfully pass the challenge to visit the website. -- Request the website owner to allow their IP address. -- Scan their computer for malicious programs (it may be infected). -- Check their antivirus or firewall service to make sure it is not blocking access to the challenge resources (for example, images). - -:::note -Visitors must enable JavaScript and cookies on their browser to be able to pass any type of challenge. -::: - ---- - -## Detecting a challenge page response - -When a request encounters a Cloudflare challenge page instead of the originally anticipated response, the challenge page response (regardless of the challenge page type) will have the `cf-mitigated` header present and set to `challenge`. This header can be leveraged to detect if a response was challenged when making fetch/XHR requests. This header provides a reliable way to identify whether a response is a challenge or not, enabling a web application to take appropriate action based on the result. For example, a front-end application encountering a response from the backend may check the presence of this header value to handle cases where challenge pages encountered unexpectedly. - -:::note -Regardless of the requested resource-type, the content-type of a challenge will be `text/html`. -::: - -For the `cf-mitigated` header, `challenge` is the only valid value. The header is set for all challenge page types. - -To illustrate, here is a JavaScript code snippet that demonstrates how to use the `cf-mitigated` header to detect whether a response was challenged: - -```js -fetch("/my-api-endpoint").then((response) => { - if (response.headers.get("cf-mitigated") === "challenge") { - // Handle challenged response - } else { - // Process response as usual - } -}); -``` - -For additional help, refer to [our FAQ for Challenges](/waf/troubleshooting/faq/#challenges). - ---- - -## Private Access Tokens - -When a user is presented with a challenge page, Cloudflare decides what challenges need to be solved to prove they are human. While some challenges are computationally complex or require interactivity, most of the challenges served are invisible to the user. - -Cloudflare uses results from the Private Access Token (PAT) to decide what challenges users will see next. If a user presents a token, they will have an easier time solving the challenge. - -The challenge page is an interstitial page and users will see it regardless of having a valid PAT or not. A PAT does not automatically solve a challenge. It prevents certain challenges from being issued. - ---- - -## Proxied hostnames - - - - ---- - -## Multi-language support - -Cloudflare Challenge Platform can detect multiple languages and display the localized challenge experience, which is determined by `navigator.language` value. The [Navigator.language read-only property](https://developer.mozilla.org/en-US/docs/Web/API/Navigator/language) returns a string representing the preferred language of the user, usually the language of the browser user interface. The supported languages are currently English, Arabic, Chinese (Simplified), Chinese (Traditional), Dutch, French, German, Indonesian, Italian, Japanese, Korean, Persian/Farsi, Polish, Portuguese, Russian, Spanish, Turkish. - ---- - -## Favicon customization - -Cloudflare challenges take the favicon of your website using `GET /favicon.ico` and displays it on the challenge page. - -You can customize your favicon by using the HTML snippet below. - -```html title="HTML element" - -``` - ---- - -## Caveats for Transform Rules and custom error pages - -You cannot set your own Content Security Policy (CSP) and/or Referer-Policy via meta tags or [Transform Rules](/rules/transform/) in challenge pages. - -Origin headers also cannot be modified for challenge pages. - -If you are setting any of these headers using Transform Rules for your entire website, you must prefix the rule with `not (starts_with(http.request.uri.path, "/cdn-cgi/challenge-platform/") or cf.response.error_type in {"managed_challenge" "iuam" "legacy_challenge" "country_challenge"})` in the rule expression to avoid issues with challenges. - ---- - -## Common issues - -### Deprecated browser support - -Challenges are not supported by Microsoft Internet Explorer. If you are currently using Internet Explorer, try using another modern web browser (Chrome, Safari, Firefox). If you are already using a modern web browser, make sure it is using the latest version. - -### Referer header - -When a request is sent with a referer header, the user will receive a challenge page as a response. Upon solving the challenge page, the request with the referer is sent to the origin, and the response to the request is served to the user. The JavaScript on the response page may read the value of `document.referer`, but it will be inaccurate. This affects tools such as Google Analytics, which reads the referer from JavaScript. - -You can add tracking scripts to challenge pages to capture the correct referer header on the initial request. - -### Cross-origin resource sharing (CORS) preflight requests - -Cross-origin resource sharing (CORS) preflight requests, or `OPTIONS`, exclude user credentials that include cookies. As a result, the `cf_clearance` cookie will not be sent with the request, causing it to fail to bypass a challenge page (non-interactive, managed, or interactive challenge). - ---- - -## Limitations - -Cloudflare challenges cannot support the following: - -- [Browser extensions](#browser-extensions) that modify the browser's `User-Agent` value or Web APIs such as `Canvas` and `WebGL`. -- Implementations where a domain serves a challenge page originally requested for another domain. -- Challenge pages cannot be embedded in cross-origin iframes. -- Client software where the solve request of a Managed Challenge comes from a different IP than the original IP a challenge request was issued to. For example, if you receive the challenge from one IP and solve it using another IP, the solve is not valid and you may encounter a challenge loop. diff --git a/src/content/docs/fundamentals/trace-request/how-to.mdx b/src/content/docs/fundamentals/trace-request/how-to.mdx index ce0056470f03472..034c7ac0f83bca4 100644 --- a/src/content/docs/fundamentals/trace-request/how-to.mdx +++ b/src/content/docs/fundamentals/trace-request/how-to.mdx @@ -36,7 +36,7 @@ import { GlossaryTooltip } from "~/components"; - **Geolocation** (request source [country](/ruleset-engine/rules-language/fields/reference/ip.src.country/), [region](/ruleset-engine/rules-language/fields/reference/ip.src.region/), and [city](/ruleset-engine/rules-language/fields/reference/ip.src.city/)) - [**Bot Score**](/bots/concepts/bot-score/) - **Request Body** (for `POST`, `PUT`, and `PATCH` requests) - - **Skip Challenge** (skips a Cloudflare-issued [challenge](/fundamentals/security/cloudflare-challenges/), if any, allowing the trace to continue) + - **Skip Challenge** (skips a Cloudflare-issued [challenge](/cloudflare-challenges/), if any, allowing the trace to continue) 5. Select **Send Trace**. diff --git a/src/content/docs/learning-paths/application-security/rate-limiting/configurations.mdx b/src/content/docs/learning-paths/application-security/rate-limiting/configurations.mdx index a81a412fdaf3d6f..42a5f4c749957ac 100644 --- a/src/content/docs/learning-paths/application-security/rate-limiting/configurations.mdx +++ b/src/content/docs/learning-paths/application-security/rate-limiting/configurations.mdx @@ -26,7 +26,7 @@ The rule below is being created on the `enterprise` plan, so we are no longer li * The rule will also limit the number of requests to `/create-account`, but will only trigger against `POST` requests. In the basic example, even requests with the `GET` method will increment the counter. * Requests that do not have a [client certificate (mTLS)](/ssl/client-certificates/), will increment the counter. * Requests will be counted using the [IP with NAT support](/waf/rate-limiting-rules/parameters/#use-cases-of-ip-with-nat-support) characteristic. -* Within a 1 minute period, for each counted entity, if the number of requests exceeds 10, then the user will be presented with a [`Managed Challenge`](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended) for a custom duration of 1 day. +* Within a 1 minute period, for each counted entity, if the number of requests exceeds 10, then the user will be presented with a [Managed Challenge](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended) for a custom duration of 1 day. ![rate-limiting-advanced-config-1](~/assets/images/waf/rate-limiting-rules/rl-advanced-config.png) diff --git a/src/content/docs/radar/investigate/application-layer-attacks.mdx b/src/content/docs/radar/investigate/application-layer-attacks.mdx index 937aa1bd58c1262..0f5caf0bca09789 100644 --- a/src/content/docs/radar/investigate/application-layer-attacks.mdx +++ b/src/content/docs/radar/investigate/application-layer-attacks.mdx @@ -10,7 +10,7 @@ While in [HTTP requests](/radar/investigate/http-requests) you can examine all k :::note[Mitigated traffic] -Mitigated traffic is any HTTP request from an end-user that has a terminating action applied by the Cloudflare platform. These include actions like `BLOCK` or [challenges](/fundamentals/security/cloudflare-challenges/). +Mitigated traffic is any HTTP request from an end-user that has a terminating action applied by the Cloudflare platform. These include actions like `BLOCK` or [challenges](/cloudflare-challenges/). ::: Since we are examining attacks, we can inspect both sides of an attack — both the source location and the target location of the attack. For the source of the attack Cloudflare uses the location the attack is coming from associated with the IP (note that the human orchestrator of the attack may be in a different location than the computer the attack is originating from). For the target location of the attacks, Cloudflare uses the billing location associated with the zone under attack. diff --git a/src/content/docs/reference-architecture/architectures/security.mdx b/src/content/docs/reference-architecture/architectures/security.mdx index d0aead6a197a7a7..9ddcd5ab8eb1652 100644 --- a/src/content/docs/reference-architecture/architectures/security.mdx +++ b/src/content/docs/reference-architecture/architectures/security.mdx @@ -408,7 +408,7 @@ Customers can enable a positive security model using mTLS, JWT validation, and s ![Bot management can filter good and bad bots.](~/assets/images/reference-architecture/security/security-ref-arch-12.svg) -Additionally, Cloudflare can take the action of challenging clients if it suspects undesired bot activity. Cloudflare offers its [Managed Challenge](/fundamentals/security/cloudflare-challenges/) platform where the appropriate type of challenge is dynamically chosen based on the characteristics of a request. This helps avoid CAPTCHAs, which result in a poor customer experience. +Additionally, Cloudflare can take the action of challenging clients if it suspects undesired bot activity. Cloudflare offers its [challenge](/cloudflare-challenges/) platform where the appropriate type of challenge is dynamically chosen based on the characteristics of a request. This helps avoid CAPTCHAs, which result in a poor customer experience. Depending on the characteristics of a request, Cloudflare will choose an appropriate type of challenge, which may include but is not limited to: diff --git a/src/content/docs/rules/custom-errors/edit-error-pages.mdx b/src/content/docs/rules/custom-errors/edit-error-pages.mdx index d63d2cc3dc9741f..fcdb46f4d171fbc 100644 --- a/src/content/docs/rules/custom-errors/edit-error-pages.mdx +++ b/src/content/docs/rules/custom-errors/edit-error-pages.mdx @@ -18,7 +18,7 @@ To display a custom page for each error, create a separate page per error. For e :::note[Notes] - Your custom error page should include a page-specific custom error token if applicable and cannot exceed 1.5 MB. Also, it must include HTML `` and `` tags. -- Make sure that the `referrer` meta tag is not present in your custom error page's HTML code since it will disrupt [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/): `` +- Make sure that the `referrer` meta tag is not present in your custom error page's HTML code since it will disrupt [Cloudflare challenges](/cloudflare-challenges/): `` ::: diff --git a/src/content/docs/rules/custom-errors/index.mdx b/src/content/docs/rules/custom-errors/index.mdx index 68bb2811ba20b91..64d935a961aba1b 100644 --- a/src/content/docs/rules/custom-errors/index.mdx +++ b/src/content/docs/rules/custom-errors/index.mdx @@ -10,7 +10,7 @@ head: import { FeatureTable, Render } from "~/components"; -Use Custom Errors to return custom content to your website visitors in case of HTTP errors returned by an origin server or by a Cloudflare product (including Workers), or when showing a [security challenge](/fundamentals/security/cloudflare-challenges/). +Use Custom Errors to return custom content to your website visitors in case of HTTP errors returned by an origin server or by a Cloudflare product (including Workers), or when showing a [security challenge](/cloudflare-challenges/). You can configure custom error content using the following methods: diff --git a/src/content/docs/rules/custom-errors/reference/parameters.mdx b/src/content/docs/rules/custom-errors/reference/parameters.mdx index 5c662375bb870db..c62b378cc7ea4e4 100644 --- a/src/content/docs/rules/custom-errors/reference/parameters.mdx +++ b/src/content/docs/rules/custom-errors/reference/parameters.mdx @@ -61,7 +61,7 @@ When using the API you must also set the `content_type` parameter, which defines :::caution -If you create an HTML error response, make sure the `referrer` meta tag is not present in the HTML code since it will disrupt [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/): +If you create an HTML error response, make sure the `referrer` meta tag is not present in the HTML code since it will disrupt [Cloudflare challenges](/cloudflare-challenges/): ```html diff --git a/src/content/docs/rules/custom-errors/troubleshooting.mdx b/src/content/docs/rules/custom-errors/troubleshooting.mdx index 52bb9ac85d0ca03..f4c3c5a3bb917ad 100644 --- a/src/content/docs/rules/custom-errors/troubleshooting.mdx +++ b/src/content/docs/rules/custom-errors/troubleshooting.mdx @@ -46,4 +46,4 @@ Make sure that you are serving the custom error page with an `HTTP 200` status c ## More resources - [HTTP Status Codes](/support/troubleshooting/http-status-codes/) -- [Challenges](/fundamentals/security/cloudflare-challenges/) +- [Challenges](/cloudflare-challenges/) diff --git a/src/content/docs/rules/reference/troubleshooting.mdx b/src/content/docs/rules/reference/troubleshooting.mdx index 217303e4965d5d6..4d4047e1abea926 100644 --- a/src/content/docs/rules/reference/troubleshooting.mdx +++ b/src/content/docs/rules/reference/troubleshooting.mdx @@ -19,7 +19,7 @@ You may also want to exclude the `/.well-known/*` URL path used by several valid ## Interaction between Cloudflare challenges and Rules features -If you are issuing a [challenge](/fundamentals/security/cloudflare-challenges/) for a given URI path that has one or more Rules features enabled, you should exclude URI paths starting with `/cdn-cgi/challenge-platform/` in your rule expressions to avoid challenge loops. +If you are issuing a [challenge](/cloudflare-challenges/) for a given URI path that has one or more Rules features enabled, you should exclude URI paths starting with `/cdn-cgi/challenge-platform/` in your rule expressions to avoid challenge loops. For example, define a compound expression for your rule using the `and` operator and the [`starts_with()`](/ruleset-engine/rules-language/functions/#starts_with) function: diff --git a/src/content/docs/security/settings.mdx b/src/content/docs/security/settings.mdx index 6dbb2a7b9539e71..3726f7d8317610e 100644 --- a/src/content/docs/security/settings.mdx +++ b/src/content/docs/security/settings.mdx @@ -100,16 +100,16 @@ This section allows you to configure multiple security-related settings. The fol | [Custom username and password location](/waf/detections/leaked-credentials/#custom-detection-locations) | **Security** > **Settings** | | [Custom content location](/waf/detections/malicious-uploads/#custom-scan-expressions) | **Security** > **Settings** | | [Custom sensitive data deployment](/waf/managed-rules/reference/sensitive-data-detection/#configure-in-the-dashboard) | **Security** > **Sensitive Data** | -| [Block definitely automated traffic](/bots/get-started/super-bot-fight-mode/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** | -| [Block likely bots](/bots/get-started/super-bot-fight-mode/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** | +| [Block definitely automated traffic](/bots/get-started/super-bot-fight-mode/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** | +| [Block likely bots](/bots/get-started/super-bot-fight-mode/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** | | [Managed `robots.txt`](/bots/additional-configurations/managed-robots-txt/) | **Security** > **Bots** > **Configure Bot Fight Mode
Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** | -| [Allow verified bots](/bots/get-started/super-bot-fight-mode/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** | +| [Allow verified bots](/bots/get-started/super-bot-fight-mode/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** | | [Static resource protection](/bots/additional-configurations/static-resources/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** | | [Optimize for WordPress](/bots/troubleshooting/wordpress-loopback-issue/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** | | [JavaScript detections](/bots/additional-configurations/javascript-detections/) | **Security** > **Bots** > **Configure Super Bot Fight Mode
Security** > **Bots** > **Configure Bot Management** | | [Auto-update machine learning model](/bots/reference/machine-learning-models/) | **Security** > **Bots** > **Configure Bot Management** | | [Enable Security.txt](/security-center/infrastructure/security-file/) | **Security** > **Settings** | -| [Challenge Passage](/fundamentals/security/cloudflare-challenges/challenge-passage/) | **Security** > **Settings** | +| [Challenge Passage](/cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage) | **Security** > **Settings** | | [Browser Integrity Check](/waf/tools/browser-integrity-check/) | **Security** > **Settings** | | [Replace insecure JavaScript libraries](/waf/tools/replace-insecure-js-libraries/) | **Security** > **Settings** | | [Security Level](/waf/tools/security-level/) | **Security** > **Settings** | diff --git a/src/content/docs/turnstile/concepts/pre-clearance-support.mdx b/src/content/docs/turnstile/concepts/pre-clearance-support.mdx index 7779f88fe1dd10a..2eb3642df073f68 100644 --- a/src/content/docs/turnstile/concepts/pre-clearance-support.mdx +++ b/src/content/docs/turnstile/concepts/pre-clearance-support.mdx @@ -34,7 +34,7 @@ Refer to the [blog post](https://blog.cloudflare.com/integrating-turnstile-with- ## Clearance cookie duration -Clearance cookies generated by the Turnstile widget will be valid for the time specified by the zone-level Challenge Passage value. To configure the Challenge Passage setting, refer to the [Fundamentals documentation](/fundamentals/security/cloudflare-challenges/challenge-passage/). +Clearance cookies generated by the Turnstile widget will be valid for the time specified by the zone-level Challenge Passage value. To configure the Challenge Passage setting, refer to the [Challenges documentation](/cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage). ## Setup diff --git a/src/content/docs/turnstile/concepts/widget.mdx b/src/content/docs/turnstile/concepts/widget.mdx index 64b4acb14a1d5ae..4d9837e6c771bf7 100644 --- a/src/content/docs/turnstile/concepts/widget.mdx +++ b/src/content/docs/turnstile/concepts/widget.mdx @@ -104,4 +104,4 @@ The widget expires when a token was issued but the user did not solve the challe ![Unsupported browser](~/assets/images/turnstile/unsupported-browser.png) -Visitors with outdated browsers or unsupported browsers will encounter this widget state. Refer to [Supported browsers](/fundamentals/security/cloudflare-challenges/#browser-support) for more information regarding supported browsers. \ No newline at end of file +Visitors with outdated browsers or unsupported browsers will encounter this widget state. Refer to [Supported browsers](/cloudflare-challenges/#browser-support) for more information regarding supported browsers. \ No newline at end of file diff --git a/src/content/docs/turnstile/get-started/mobile-implementation.mdx b/src/content/docs/turnstile/get-started/mobile-implementation.mdx index e527ea2f6ac8db4..7c845f17b479087 100644 --- a/src/content/docs/turnstile/get-started/mobile-implementation.mdx +++ b/src/content/docs/turnstile/get-started/mobile-implementation.mdx @@ -40,7 +40,7 @@ When implementing Turnstile with WebViews, the user agent must stay consistent a ## Use clearance cookies -When using [clearance cookies](/turnstile/concepts/pre-clearance-support/) with Turnstile, make sure that it is executed in the same environment where the challenges will occur, including the same browser and device configuration. The `cf_clearance` cookie will be only accepted in the same configured domain for Turnstile widget with the corresponding zone. Domains configured with the Turnstile widget must match the Cloudflare zone that issues [challenges](/fundamentals/security/cloudflare-challenges/). +When using [clearance cookies](/turnstile/concepts/pre-clearance-support/) with Turnstile, make sure that it is executed in the same environment where the challenges will occur, including the same browser and device configuration. The `cf_clearance` cookie will be only accepted in the same configured domain for Turnstile widget with the corresponding zone. Domains configured with the Turnstile widget must match the Cloudflare zone that issues [challenges](/cloudflare-challenges/). If pre-clearance is done in a different environment, the clearance cookie may become invalid and lead to more issued challenges. diff --git a/src/content/docs/turnstile/get-started/supported-browsers.mdx b/src/content/docs/turnstile/get-started/supported-browsers.mdx index 5149527519afefa..c3409059494964a 100644 --- a/src/content/docs/turnstile/get-started/supported-browsers.mdx +++ b/src/content/docs/turnstile/get-started/supported-browsers.mdx @@ -1,7 +1,7 @@ --- pcx_content_type: concept title: Supported browsers -external_link: /fundamentals/security/cloudflare-challenges/#browser-support +external_link: /cloudflare-challenges/reference/supported-browsers/ sidebar: order: 5 diff --git a/src/content/docs/turnstile/index.mdx b/src/content/docs/turnstile/index.mdx index a9b19a4ae52ce51..d07cdb4bde3808e 100644 --- a/src/content/docs/turnstile/index.mdx +++ b/src/content/docs/turnstile/index.mdx @@ -77,7 +77,7 @@ Refer to [Cloudflare Turnstile's product page](https://www.cloudflare.com/produc ## Features - Assess the number of challenges issued, evaluate the [challenge solve rate](/fundamentals/security/cloudflare-challenges/challenge-solve-rate/), and + Assess the number of challenges issued, evaluate the [challenge solve rate](/cloudflare-challenges/reference/challenge-solve-rate/), and view the metrics of issued challenges. diff --git a/src/content/docs/turnstile/troubleshooting/client-side-errors/error-codes.mdx b/src/content/docs/turnstile/troubleshooting/client-side-errors/error-codes.mdx index 05694b779f7c447..9b8ea784790e66e 100644 --- a/src/content/docs/turnstile/troubleshooting/client-side-errors/error-codes.mdx +++ b/src/content/docs/turnstile/troubleshooting/client-side-errors/error-codes.mdx @@ -25,7 +25,7 @@ When an error code is marked with `***`, it means that the remaining numbers can | `110200` | Unknown domain: Domain not allowed. | No | Turnstile was used on a domain that was not allowed for this widget to be used on. Ensure that the domain is allowed in the widget configuration via the [Cloudflare dashboard](https://dash.cloudflare.com/). | | `110420` | Invalid action: This error occurs when an unsupported or incorrectly formatted action is submitted. | No | Ensure that the action conforms to the specified structure and contains only valid characters and adheres to the documented length limitations. Refer to [client-side configurations](/turnstile/get-started/client-side-rendering/#configurations) for more information. | | `110430` | Invalid cData: This error in Turnstile refers to an issue encountered when processing Custom Data (cData). This error occurs when the cData provided does not adhere to the expected format or contains invalid characters. | No | Ensure that the cData conforms to the specified structure and contains only valid characters and adheres to the documented length limitations. Refer to [client-side configurations](/turnstile/get-started/client-side-rendering/#configurations) for more information. | -| `110500` | Unsupported browser: The visitor is using an unsupported browser. | No | Encourage the visitor to upgrade their browser or verify otherwise. Refer to [Supported browsers](/fundamentals/security/cloudflare-challenges/#browser-support) for more information. | +| `110500` | Unsupported browser: The visitor is using an unsupported browser. | No | Encourage the visitor to upgrade their browser or verify otherwise. Refer to [Supported browsers](/cloudflare-challenges/reference/supported-browsers/) for more information. | | `110510` | Inconsistent user-agent: The visitor provided an inconsistent user-agent throughout the process of solving Turnstile. | No | The visitor may have browser extensions or settings enabled to spoof their user-agent and should disable them to proceed. | | `11060*` | Challenge timed out: The visitor took too long to solve the challenge and the challenge timed out. | Yes | Retry the challenge. The visitor also may have a system clock set to a wrong date. | | `11062*` | Challenge timed out: This error is for visible mode only. The visitor took too long to solve the interactive challenge and the challenge became outdated. | Yes | Reset the widget and re-initialize it to give the visitor the chance to solve the widget again. | diff --git a/src/content/docs/turnstile/tutorials/implicit-vs-explicit-rendering.mdx b/src/content/docs/turnstile/tutorials/implicit-vs-explicit-rendering.mdx index 9fddcbec20067f1..acaac657de76091 100644 --- a/src/content/docs/turnstile/tutorials/implicit-vs-explicit-rendering.mdx +++ b/src/content/docs/turnstile/tutorials/implicit-vs-explicit-rendering.mdx @@ -268,5 +268,5 @@ Remember to perform server-side validation of the response token to complete the ## Additional resources - [Server-side validation](/turnstile/get-started/server-side-validation/): A guide on how to implement server-side validation to ensure that only valid, human-generated responses are accepted by your application. -- [Turnstile Analytics](/turnstile/turnstile-analytics/): A guide on how to access and interpret Turnstile Analytics data, allowing you to monitor key metrics, access the number of challenges issued, and evaluate the [challenge solve rate (CSR)](/fundamentals/security/cloudflare-challenges/challenge-solve-rate/). +- [Turnstile Analytics](/turnstile/turnstile-analytics/): A guide on how to access and interpret Turnstile Analytics data, allowing you to monitor key metrics, access the number of challenges issued, and evaluate the [challenge solve rate (CSR)](/cloudflare-challenges/reference/challenge-solve-rate/). - [Turnstile API Reference](/api/resources/turnstile/subresources/widgets/methods/list/): Comprehensive documentation for the Turnstile API, providing detailed information on API operations for managing Turnstile widgets, including how to list, create, and update widgets via API calls. diff --git a/src/content/docs/turnstile/tutorials/integrating-turnstile-waf-and-bot-management.mdx b/src/content/docs/turnstile/tutorials/integrating-turnstile-waf-and-bot-management.mdx index 24ffab78141f23d..d38b698f0f43a3c 100644 --- a/src/content/docs/turnstile/tutorials/integrating-turnstile-waf-and-bot-management.mdx +++ b/src/content/docs/turnstile/tutorials/integrating-turnstile-waf-and-bot-management.mdx @@ -180,4 +180,4 @@ If you are interested in customizing Turnstile, refer to the resources below for - [Client-side rendering](/turnstile/get-started/client-side-rendering/). Learn how to customize how and when Turnstile renders in your user interface, to better fit your application's needs and user experience. - [Server-side validation](/turnstile/get-started/server-side-validation/). Learn how Turnstile's API works, including request parameters, as well as how to handle different types of responses, including error codes. -- [Turnstile Analytics](/turnstile/turnstile-analytics/). Learn how to view Turnstile's analytics in the Cloudflare dashboard. This includes metrics on the number of challenges issued, as well as the [challenge solve rate (CSR)](/fundamentals/security/cloudflare-challenges/challenge-solve-rate/). +- [Turnstile Analytics](/turnstile/turnstile-analytics/). Learn how to view Turnstile's analytics in the Cloudflare dashboard. This includes metrics on the number of challenges issued, as well as the [challenge solve rate (CSR)](/cloudflare-challenges/reference/challenge-solve-rate/). diff --git a/src/content/docs/waf/analytics/security-events.mdx b/src/content/docs/waf/analytics/security-events.mdx index 8e16ee4327e3fb0..ee3ebc0d4d8345e 100644 --- a/src/content/docs/waf/analytics/security-events.mdx +++ b/src/content/docs/waf/analytics/security-events.mdx @@ -113,7 +113,7 @@ Besides the actions you can select when configuring rules in Cloudflare security For details on these actions, refer to [HTTP DDoS Attack Protection parameters](/ddos-protection/managed-rulesets/http/override-parameters/#action). -The [_Managed Challenge (Recommended)_](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended) action that may appear in **Sampled logs** is available in the following security features and products: WAF custom rules, rate limiting rules, Bot Fight Mode, IP Access rules, User Agent Blocking rules, and firewall rules (deprecated). +The [_Managed Challenge (Recommended)_](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended) action that may appear in **Sampled logs** is available in the following security features and products: WAF custom rules, rate limiting rules, Bot Fight Mode, IP Access rules, User Agent Blocking rules, and firewall rules (deprecated). ### Export event log data diff --git a/src/content/docs/waf/rate-limiting-rules/parameters.mdx b/src/content/docs/waf/rate-limiting-rules/parameters.mdx index 7b500291d1cbe55..4abae046bec14a1 100644 --- a/src/content/docs/waf/rate-limiting-rules/parameters.mdx +++ b/src/content/docs/waf/rate-limiting-rules/parameters.mdx @@ -151,7 +151,7 @@ Once the rate is reached, the rate limiting rule applies the rule action to furt In the dashboard, select one of the available values, which [vary according to your Cloudflare plan](/waf/rate-limiting-rules/#availability). The available API values are: `0`, `10`, `60` (one minute), `120` (two minutes), `300` (five minutes), `600` (10 minutes), `3600` (one hour), or `86400` (one day). -Customers on Free, Pro, and Business plans cannot select a duration when using a [challenge action](/fundamentals/security/cloudflare-challenges/#available-challenges) — their rate limiting rule will always perform request throttling for these actions. With request throttling, you do not define a duration. When visitors pass a challenge, their corresponding [request counter](/waf/rate-limiting-rules/request-rate/) is set to zero. When visitors with the same values for the rule characteristics make enough requests to trigger the rate limiting rule again, they will receive a new challenge. +Customers on Free, Pro, and Business plans cannot select a duration when using a [challenge action](/cloudflare-challenges/#available-challenges) — their rate limiting rule will always perform request throttling for these actions. With request throttling, you do not define a duration. When visitors pass a challenge, their corresponding [request counter](/waf/rate-limiting-rules/request-rate/) is set to zero. When visitors with the same values for the rule characteristics make enough requests to trigger the rate limiting rule again, they will receive a new challenge. Enterprise customers can always configure a duration (or mitigation timeout), even when using one of the challenge actions. diff --git a/src/content/docs/waf/reference/legacy/old-rate-limiting/index.mdx b/src/content/docs/waf/reference/legacy/old-rate-limiting/index.mdx index b6ee4df76e7e5f9..fbfef40fc396903 100644 --- a/src/content/docs/waf/reference/legacy/old-rate-limiting/index.mdx +++ b/src/content/docs/waf/reference/legacy/old-rate-limiting/index.mdx @@ -128,7 +128,7 @@ Rate limit actions are based on the domain plan as mentioned in [Availability](# - **Interactive Challenge**: Visitor must pass an Interactive Challenge. If passed, Cloudflare allows the request. - **Log**: Requests are logged in [Cloudflare Logs](/logs/). This helps test rules before applying to production. -For more information on challenge actions, refer to [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/). +For more information on challenge actions, refer to [Cloudflare challenges](/cloudflare-challenges/). #### Ban duration diff --git a/src/content/docs/waf/tools/ip-access-rules/actions.mdx b/src/content/docs/waf/tools/ip-access-rules/actions.mdx index 993f0cae58d3072..93c6d0b22db1d4c 100644 --- a/src/content/docs/waf/tools/ip-access-rules/actions.mdx +++ b/src/content/docs/waf/tools/ip-access-rules/actions.mdx @@ -14,7 +14,7 @@ An IP Access rule can perform one of the following actions: - **Allow**: Excludes visitors from all security checks, including [Browser Integrity Check](/waf/tools/browser-integrity-check/), [Under Attack mode](/fundamentals/reference/under-attack-mode/), and the WAF. Use this option when a trusted visitor is being blocked by Cloudflare's default security features. The _Allow_ action takes precedence over the _Block_ action. Note that allowing a given country code will not bypass WAF managed rules (previous and new versions). -- **Managed Challenge**: Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge from a list of possible actions. For more information, refer to [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended). +- **Managed Challenge**: Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge from a list of possible actions. For more information, refer to [Cloudflare challenges](/cloudflare-challenges/#managed-challenge-recommended). - **JavaScript Challenge**: Presents the [Under Attack mode](/fundamentals/reference/under-attack-mode/) interstitial page to visitors. The visitor or client must support JavaScript. Useful for blocking DDoS attacks with minimal impact to legitimate visitors. diff --git a/src/content/docs/waf/troubleshooting/faq.mdx b/src/content/docs/waf/troubleshooting/faq.mdx index 86fcdcc3049c00b..7f2e078bf712ef0 100644 --- a/src/content/docs/waf/troubleshooting/faq.mdx +++ b/src/content/docs/waf/troubleshooting/faq.mdx @@ -77,108 +77,4 @@ For more information on verified bots, refer to [Bots](/bots/concepts/bot/). :::note There is no functional difference between known and verified bots. However, the known bots field (`cf.client.bot`) is available for all customers, while the verified bots field (`cf.bot_management.verified_bot`) is available for Enterprise customers. -::: - -## Challenges - -### Why am I being challenged on a Cloudflare-protected site? - -Cloudflare issues challenges to website visitors to protect against malicious activity such as bot attacks and DDoS attacks. Key reasons include: - -- **Bot detection**: Automated traffic resembling bots is filtered by Cloudflare. -- **Web Application Firewall (WAF) custom rules**: Site owners may set rules targeting specific regions or user agents. -- **Browser Integrity Check**: Cloudflare verifies that browsers meet certain standards. -- **Challenge Passage**: Technologies like Privacy Pass reduce the frequency of repeated challenges. -- **IP reputation**: If your IP has a history of suspicious activity, it may be flagged. - -To avoid repeated challenges, ensure your browser is up to date, disable any privacy tools that might block standard browser headers, or use a different network connection if your current one has a poor IP reputation. - -### How do I exclude certain requests from being blocked or challenged? - -In certain situations you want to enforce a blocking or challenging action but make an exception for specific types of requests. - -Cloudflare supports two methods of allowing requests using WAF custom rules: - -- Exclude a type of request from being blocked or challenged in a custom rule by updating the rule expression, for example adding an exclusion based on IP address, ASN, or country. -- Create a separate custom rule with a [_Skip_ action](/waf/custom-rules/skip/). This skip rule must appear before the rule with the block/challenge action in the rules list. - -The examples below illustrate a few possible approaches. - -**Example 1** - -Exclude multiple IP addresses from a blocking/challenging rule that assesses attack score. - -- Basic rule, no exclusion: - - - **Expression**: `(http.host eq "example.com" and cf.waf.score lt 20)` - - **Action**: Block (or a challenge action) - -- Rule that excludes IP addresses from being blocked/challenged: - - - **Expression**: `(http.host eq "example.com" and cf.waf.score lt 20) and not (ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24})` - - **Action**: Block (or a challenge action) - -- Two rules to skip remaining custom rules for specific IPs and block the rest. - - 1. Rule 1: - - - Expression: `ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24}` - - Action: Skip > All remaining custom rules - - 2. Rule 2: - - - Expression: `(http.host eq "example.com" and cf.waf.score lt 20)` - - Action: Block (or a challenge action) - -**Example 2** - -Block Amazon Web Services (AWS) and Google Cloud Platform (GCP) because of large volumes of undesired traffic, but allow Googlebot and other known bots that Cloudflare validates. - -- Basic rule, no exclusion: - - - **Expression**: `(ip.src.asnum in {16509 15169} and not cf.client.bot)` - - **Action**: Block (or a challenge action) - -- Rule that excludes IP addresses from being blocked/challenged: - - - **Expression**: `(ip.src.asnum in {16509 15169} and not cf.client.bot) and not (ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24})` - - **Action**: Block (or a challenge action) - -- Two rules to skip remaining custom rules for specific IPs and block the rest. - - 1. Rule 1: - - - Expression: `ip.src in {192.0.2.1 198.51.100.42 203.0.113.0/24}` - - Action: Skip > All remaining custom rules - - 2. Rule 2: - - - Expression: `(ip.src.asnum in {16509 15169} and not cf.client.bot)` - - Action: Block (or a challenge action) - -### Do the Challenge actions support content types other than HTML (for example, AJAX or XHR requests)? - -Previously, unless you customize your front-end application, any AJAX request that is challenged will fail because AJAX calls are not rendered in the DOM. - -Now, you can [opt-in to Turnstile’s Pre-Clearance cookies](/turnstile/concepts/pre-clearance-support/). This allows you to issue a challenge early in your web application flow and pre-clear users to interact with sensitive APIs. Clearance cookies issued by a Turnstile widget are automatically applied to the Cloudflare zone that the Turnstile widget is embedded on, with no configuration necessary. The duration of the clearance cookie’s validity is controlled by the zone-specific configurable [Challenge Passage](/fundamentals/security/cloudflare-challenges/challenge-passage/) security setting. - -### Why would I not find any failed challenges? - -Users do not complete all challenges. Cloudflare issues challenges that are never answered — only 2-3% of all served challenges are usually answered. - -There are multiple reasons for this: - -- Users give up on a challenge. -- Users try to solve a challenge but cannot provide an answer. -- Users keep refreshing the challenge, but never submit an answer. -- Cloudflare receives a malformed challenge answer. - -You can calculated the number of failed challenges as follows: `number of challenges issued - number of challenges solved`. - -### Why do I have matches for a firewall rule that was not supposed to match the request? - -Make sure you are looking at the correct request. - -Only requests that triggered a challenge will match the request parameters of the rule. Subsequent requests with a `[js]challengeSolved` action may not match the parameters of the rule — for example, the bot score may have changed because the user solved a challenge. - -The "solved" action is an informative action about a previous request that matched a rule. This action states that "previously a rule had matched a request with the action set to _Interactive Challenge_ or _JS Challenge_ and now that challenge was answered." +::: \ No newline at end of file diff --git a/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx b/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx index 6369c3256cfd49c..8fa34db024341a4 100644 --- a/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx +++ b/src/content/docs/waf/troubleshooting/samesite-cookie-interaction.mdx @@ -59,7 +59,7 @@ If you require a specific `SameSite` configuration in your session affinity cook ## Known issues with SameSite and `cf_clearance` cookies -When a visitor solves a [challenge](/fundamentals/security/cloudflare-challenges/) presented due to a [WAF custom rule](/waf/custom-rules/) or an [IP Access rule](/waf/tools/ip-access-rules/), a `cf_clearance` cookie is set in the visitor's browser. The `cf_clearance` cookie has a default lifetime of 30 minutes, which you can configure via [Challenge Passage](/fundamentals/security/cloudflare-challenges/challenge-passage/). +When a visitor solves a [challenge](/cloudflare-challenges/) presented due to a [WAF custom rule](/waf/custom-rules/) or an [IP Access rule](/waf/tools/ip-access-rules/), a `cf_clearance` cookie is set in the visitor's browser. The `cf_clearance` cookie has a default lifetime of 30 minutes, which you can configure via [Challenge Passage](/cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage). Cloudflare uses `SameSite=None` in the `cf_clearance` cookie so that visitor requests from different hostnames are not met with later challenges or errors. When `SameSite=None` is used, it must be set in conjunction with the `Secure` flag. diff --git a/src/content/partials/bots/javascript-detections-implementation.mdx b/src/content/partials/bots/javascript-detections-implementation.mdx index 313d4c86bea3abc..80a0a81fa31ec75 100644 --- a/src/content/partials/bots/javascript-detections-implementation.mdx +++ b/src/content/partials/bots/javascript-detections-implementation.mdx @@ -9,7 +9,7 @@ When adding this field to WAF custom rules, use it: * On endpoints expecting browser traffic (avoiding native mobile applications or websocket endpoints). * After a user's first request to your application (Cloudflare needs at least one HTML request before injecting JavaScript detection). -* With the [Managed Challenge action](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended), because there are legitimate reasons a user might not have passed a JavaScript detection challenge (network issues, ad blockers, disabled JavaScript in browser, native mobile apps). +* With the [Managed Challenge action](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended), because there are legitimate reasons a user might not have passed a JavaScript detection challenge (network issues, ad blockers, disabled JavaScript in browser, native mobile apps). ### Prerequisites diff --git a/src/content/partials/turnstile/challenge-behavior.mdx b/src/content/partials/turnstile/challenge-behavior.mdx index ba3362ca2477671..29bd8ff2927ea40 100644 --- a/src/content/partials/turnstile/challenge-behavior.mdx +++ b/src/content/partials/turnstile/challenge-behavior.mdx @@ -3,6 +3,6 @@ --- -Cloudflare issues challenges through the [Challenge Platform](/fundamentals/security/cloudflare-challenges/), which is the same underlying technology powering [Turnstile](/turnstile/). +Cloudflare issues challenges through the [Challenge Platform](/cloudflare-challenges/), which is the same underlying technology powering [Turnstile](/turnstile/). In contrast to our Challenge page offerings, Turnstile allows you to run challenges anywhere on your site in a less-intrusive way without requiring the use of Cloudflare’s CDN. diff --git a/src/content/partials/turnstile/troubleshooting-steps.mdx b/src/content/partials/turnstile/troubleshooting-steps.mdx index 6ef5da3df3d056c..ade8bb816521c35 100644 --- a/src/content/partials/turnstile/troubleshooting-steps.mdx +++ b/src/content/partials/turnstile/troubleshooting-steps.mdx @@ -5,7 +5,7 @@ 1. Verify your browser compatibility. - Turnstile supports all major browsers, except Internet Explorer. - - Ensure your browser is up to date. For more information, refer to our [Supported browsers](/fundamentals/security/cloudflare-challenges/#supported-browsers). + - Ensure your browser is up to date. For more information, refer to our [Supported browsers](/cloudflare-challenges/reference/supported-browsers/). 2. Disable your browser extensions. - Some browser extensions, such as ad blockers, may block the scripts Turnstile needs to operate. - Temporarily disable all extensions and reload the page. diff --git a/src/content/partials/turnstile/turnstile/challenge-behavior.mdx b/src/content/partials/turnstile/turnstile/challenge-behavior.mdx index ba3362ca2477671..29bd8ff2927ea40 100644 --- a/src/content/partials/turnstile/turnstile/challenge-behavior.mdx +++ b/src/content/partials/turnstile/turnstile/challenge-behavior.mdx @@ -3,6 +3,6 @@ --- -Cloudflare issues challenges through the [Challenge Platform](/fundamentals/security/cloudflare-challenges/), which is the same underlying technology powering [Turnstile](/turnstile/). +Cloudflare issues challenges through the [Challenge Platform](/cloudflare-challenges/), which is the same underlying technology powering [Turnstile](/turnstile/). In contrast to our Challenge page offerings, Turnstile allows you to run challenges anywhere on your site in a less-intrusive way without requiring the use of Cloudflare’s CDN. diff --git a/src/content/partials/turnstile/turnstile/troubleshooting-steps.mdx b/src/content/partials/turnstile/turnstile/troubleshooting-steps.mdx index 40357cbfba788df..ceccce6c35304b6 100644 --- a/src/content/partials/turnstile/turnstile/troubleshooting-steps.mdx +++ b/src/content/partials/turnstile/turnstile/troubleshooting-steps.mdx @@ -3,7 +3,7 @@ --- -- Verify your browser compatibility: Ensure that the browser you are using is one of the supported browsers for Turnstile and the browser is up to date. Refer to [Supported browsers](/fundamentals/security/cloudflare-challenges/#browser-support) for more information. +- Verify your browser compatibility: Ensure that the browser you are using is one of the supported browsers for Turnstile and the browser is up to date. Refer to [Supported browsers](/cloudflare-challenges/reference/supported-browsers/) for more information. - Clear your browser cache and cookies: Refer to the guides below on how to clear your browser cache and cookies based on your preferred browser. - [Google Chrome](https://support.google.com/accounts/answer/32050?hl=en\&co=GENIE.Platform%3DDesktop) diff --git a/src/content/products/cloudflare-challenges.yaml b/src/content/products/cloudflare-challenges.yaml new file mode 100644 index 000000000000000..ebe5061dc0eb8b1 --- /dev/null +++ b/src/content/products/cloudflare-challenges.yaml @@ -0,0 +1,13 @@ +name: Challenges +logo: + +product: + title: Challenges + group: Application security + url: /cloudflare-challenges/ + preview_tryout: true + + +meta: + title: Cloudflare challenges docs + description: Verify whether a visitor is a real human using a challenge diff --git a/src/icons/cloudflare-challenges.svg b/src/icons/cloudflare-challenges.svg new file mode 100644 index 000000000000000..685bfb5afb6d6f5 --- /dev/null +++ b/src/icons/cloudflare-challenges.svg @@ -0,0 +1 @@ + \ No newline at end of file