[Challenges] Reorganize Fundamentals section + add new information

public/__redirects

@@ -218,7 +218,7 @@
 /support/other-languages/deutsch/cloudflare-bot/ /bots/troubleshooting/ 301
 /bots/reference/verified-bot-categories/ /bots/concepts/bot/verified-bots/categories/ 301
 /bots/reference/verified-bot-policy/ /bots/concepts/bot/verified-bots/policy/ 301
-/bots/concepts/challenge-solve-rate/ /fundamentals/security/cloudflare-challenges/challenge-solve-rate/ 301
+/bots/concepts/challenge-solve-rate/ /cloudflare-challenges/reference/challenge-solve-rate/ 301
 /bots/concepts/detection-ids/ /bots/additional-configurations/detection-ids/ 301
 /bots/concepts/ja3-ja4-fingerprint/ /bots/additional-configurations/ja3-ja4-fingerprint/ 301
 /bots/concepts/signals-intelligence/ /bots/additional-configurations/ja3-ja4-fingerprint/signals-intelligence/ 301
@@ -502,7 +502,7 @@
 /firewall/cf-rulesets/custom-rules/rate-limiting/ /waf/rate-limiting-rules/ 301
 /support/page-rules/required-firewall-rule-changes-to-enable-url-normalization/ /firewall/troubleshooting/required-changes-to-enable-url-normalization/ 301
 /firewall/known-issues-and-faq/ /waf/troubleshooting/faq/ 301
-/firewall/cf-firewall-rules/cloudflare-challenges/ /fundamentals/security/cloudflare-challenges/ 301
+/firewall/cf-firewall-rules/cloudflare-challenges/ /cloudflare-challenges/ 301
 
 # fundamentals
 /fundamentals/account-and-billing/account-setup/ /fundamentals/subscriptions-and-billing/ 301
@@ -554,7 +554,7 @@
 /fundamentals/global-configurations/ /fundamentals/ 301
 /fundamentals/customizations/ /fundamentals/ 301
 /fundamentals/security/cybersafe/ /fundamentals/reference/policies-compliances/cybersafe/ 301
-/fundamentals/security/challenge-passage/ /fundamentals/security/cloudflare-challenges/challenge-passage/ 301
+/fundamentals/security/challenge-passage/ /cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage 301
 /fundamentals/glossary/ /fundamentals/reference/glossary/ 301
 /fundamentals/account-and-billing/login/ /fundamentals/setup/account/login/ 301
 /fundamentals/account-and-billing/account-maintenance/delete-account/ /fundamentals/subscriptions-and-billing/delete-account/ 301
@@ -591,7 +591,7 @@
 /fundamentals/get-started/setup/minimize-downtime/ /fundamentals/performance/minimize-downtime/ 301
 /fundamentals/basic-tasks/maintenance-mode/ /fundamentals/performance/minimize-downtime/ 301
 /fundamentals/get-started/concepts/what-is-cloudflare/ https://www.cloudflare.com/learning/what-is-cloudflare/ 301
-/fundamentals/get-started/concepts/cloudflare-challenges/ /fundamentals/security/cloudflare-challenges/ 301
+/fundamentals/get-started/concepts/cloudflare-challenges/ /cloudflare-challenges/ 301
 /fundamentals/get-started/concepts/accounts-and-zones/ /fundamentals/setup/accounts-and-zones/ 301
 /fundamentals/get-started/concepts/cloudflare-ip-addresses/ /fundamentals/concepts/cloudflare-ip-addresses/ 301
 /fundamentals/get-started/concepts/network-layers/ /fundamentals/reference/network-layers/ 301
@@ -673,6 +673,9 @@
 /fundamentals/concepts/the-internet/ https://www.cloudflare.com/learning/network-layer/how-does-the-internet-work/ 301
 /fundamentals/concepts/free-plan/ /fundamentals/subscriptions-and-billing/free-plan/ 301
 /fundamentals/setup/manage-domains/connect-your-domain/ /fundamentals/setup/manage-domains/add-site/ 301
+/fundamentals/security/cloudflare-challenges/challenge-passage/ /cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage 301
+/fundamentals/security/cloudflare-challenges/challenge-solve-rate/ /cloudflare-challenges/reference/challenge-solve-rate/ 301
+/fundamentals/security/cloudflare-challenges/challenge-solve-issues/ /cloudflare-challenges/troubleshooting/challenge-solve-issues/ 301
 
 # gateway
 /gateway/about/ /cloudflare-one/policies/gateway/ 301
@@ -1338,7 +1341,7 @@
 /turnstile/migration/migrating-from-hcaptcha/ /turnstile/migration/hcaptcha/ 301
 /turnstile/concepts/widget-types/ /turnstile/concepts/widget/ 301
 /turnstile/concepts/domain-management/ /turnstile/concepts/hostname-management/ 301
-/turnstile/troubleshooting/challenge-solve-issues/ /fundamentals/security/cloudflare-challenges/challenge-solve-issues/ 301
+/turnstile/troubleshooting/challenge-solve-issues/ /cloudflare-challenges/troubleshooting/challenge-solve-issues/ 301
 
 # waf
 /waf/about/ /waf/concepts/ 301
@@ -1375,8 +1378,8 @@
 /waf/analytics/security-events/free-plan/ /waf/analytics/security-events/ 301
 /waf/analytics/security-events/paid-plans/ /waf/analytics/security-events/ 301
 /waf/analytics/security-events/additional-information/ /waf/tools/validation-checks/ 301
-/waf/reference/cloudflare-challenges/ /fundamentals/security/cloudflare-challenges/ 301
-/waf/tools/challenge-passage/ /fundamentals/security/cloudflare-challenges/challenge-passage/ 301
+/waf/reference/cloudflare-challenges/ /cloudflare-challenges/ 301
+/waf/tools/challenge-passage/ /cloudflare-challenges/challenge-types/challenge-pages/#challenge-passage 301
 
 # waiting-room
 /waiting-room/how-to/mobile-traffic/ /waiting-room/how-to/json-response/ 301

src/content/docs/analytics/account-and-zone-analytics/status-codes.mdx

@@ -32,7 +32,7 @@ Users may also see `100x` errors which are not reported. These will be displayed
 ## Common edge status codes
 
 - `400` - Bad Request intercepted at the Cloudflare Edge (for example, missing or bad HTTP header)
-- `403` - Security functionality (for example, Web Application Firewall, Browser Integrity Check, [Cloudflare challenges](/fundamentals/security/cloudflare-challenges/), and most 1xxx error codes)
+- `403` - Security functionality (for example, Web Application Firewall, Browser Integrity Check, [Cloudflare challenges](/cloudflare-challenges/), and most 1xxx error codes)
 - `409` - DNS errors typically in the form of 1000 or 1001 error code
 - `413` - File size upload exceeded the maximum size allowed (configured in the dashboard under **Network** > **Maximum Upload Size**.)
 - `444` - Used by Nginx to indicate that the server has returned no information to the client, and closed the connection. This error code is internal to Nginx and is **not** returned to the client.

src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx

@@ -52,7 +52,7 @@ A /24 IP range that was blocked based on the [user configuration](/waf/tools/ip-
 
 ## New Challenge (user)
 
-[Challenge](/fundamentals/security/cloudflare-challenges/) based on user configurations set for visitor’s IP in either WAF managed rules or custom rules, configured in **Security** > **WAF**.
+[Challenge](/cloudflare-challenges/) based on user configurations set for visitor’s IP in either WAF managed rules or custom rules, configured in **Security** > **WAF**.
 
 ## Challenge error
 

src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx

@@ -7,7 +7,7 @@ title: Total threats stopped
 Total Threats Stopped measures the number of “suspicious” and “bad” requests that were aimed at your site. Requests receive these labels as they enter Cloudflare’s network:
 
 - **Legitimate:** Request passed directly to your site.
-- **Suspicious:** Request has been challenged with a [Cloudflare challenge](/fundamentals/security/cloudflare-challenges/).
+- **Suspicious:** Request has been challenged with a [Cloudflare challenge](/cloudflare-challenges/).
 - **Bad:** Request has been blocked because our Browser Integrity Check, or because of user configured settings like WAF rules or IP Access rules.
 
 In addition to threat analytics you can also monitor search engine crawlers going to your websites. For most websites, threats and crawlers make up 20% to 50% of traffic.

src/content/docs/bots/additional-configurations/detection-ids.mdx

@@ -88,7 +88,7 @@ and not any(cf.bot_management.detection_ids[*] in {3355446 12577893})
 
 ### Challenges for account takeover detections
 
-Cloudflare's [Managed Challenge](/fundamentals/security/cloudflare-challenges/) can limit brute-force attacks on your login endpoints.
+Cloudflare's [Managed Challenge](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended) can limit brute-force attacks on your login endpoints.
 
 To access account takeover detections:
 

src/content/docs/bots/get-started/bot-management.mdx

@@ -69,7 +69,7 @@ Cloudflare has [default templates](https://dash.cloudflare.com/?to=/:account/:zo
     (cf.bot_management.score ge 2 and cf.bot_management.score le 29 and not cf.bot_management.verified_bot and not cf.bot_management.static_resource)
     ```
 
-- (Optional) [JavaScript detections template](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules/custom-rules/create?template=JavaScript%20Verified%20URLs): If you enabled JavaScript detections, then set up a [managed challenge](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended), make sure to add a method and URI path. JavaScript detections improves security for URLs that should only expect JavaScript-enabled clients.
+- (Optional) [JavaScript detections template](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules/custom-rules/create?template=JavaScript%20Verified%20URLs): If you enabled JavaScript detections, then set up a [managed challenge](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended), make sure to add a method and URI path. JavaScript detections improves security for URLs that should only expect JavaScript-enabled clients.
 
     ```txt wrap
     (not cf.bot_management.js_detection.passed and http.request.method eq "" and http.request.uri.path in {""})

src/content/docs/bots/troubleshooting/frequently-asked-questions.mdx

@@ -59,7 +59,7 @@ Cloudflare uses data from millions of requests and re-train the system on a peri
 
 When you choose to challenge different bot categories with Bot Fight Mode or Super Bot Fight Mode, you will see Security Events with an **Action Taken** of **Managed Challenge**.
 
-You may also see Managed Challenge due to a triggered [WAF custom rule](/fundamentals/security/cloudflare-challenges/#managed-challenge-recommended).
+You may also see Managed Challenge due to a triggered [WAF custom rule](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended).
 
 This does not mean that your traffic was blocked. It is the challenge sent to your user to determine whether they are likely human or likely bot.
 

src/content/docs/cloudflare-challenges/challenge-types/challenge-pages.mdx

@@ -0,0 +1,127 @@
+---
+pcx_content_type: concept
+title: Challenge pages
+sidebar:
+  order: 1
+---
+
+The types of available challenge pages function similarly. The main difference between the challenges are when and if an interaction is presented to the visitor.
+
+- Managed challenges will rarely present the visitor with an interactive challenge, except in cases where Cloudflare cannot verify the legitimacy of the visitor. 
+- JavaScript challenges never present the visitor with an interactive challenge.
+- Interactive challenges present the visitor with a simple and solvable challenge, such as selecting a checkbox, to verify their legitimacy. 
+
+Refer to the information below for more details on available challenges. 
+
+## Available challenges
+
+### Managed challenge (recommended)
+
+Managed challenges are where Cloudflare dynamically chooses the appropriate type of challenge based on the characteristics of a request. This helps avoid [CAPTCHAs](https://www.cloudflare.com/learning/bots/how-captchas-work/), which also reduces the lifetimes of human time spent solving CAPTCHAs across the Internet.
+
+Unless there are specific compatibility issues or other reasons to use other types of challenges, you should use managed challenges for your various custom rules.
+
+:::caution
+Using Cloudflare challenges along with Rules features may cause challenge loops. Refer to [Rules troubleshooting](/rules/reference/troubleshooting/) for more information.
+:::
+
+### JavaScript challenge
+
+With a JavaScript (JS) challenge, Cloudflare presents a challenge page that requires no interaction from a visitor except the JavaScript processed by their browser.
+
+The visitor must wait until their browser finishes processing the JavaScript, which should be less than five seconds.
+
+### Interactive challenge
+
+Interactive challenges require a visitor to interact with the interstitial challenge page, presenting the visitor with an interactive challenge to solve. Cloudflare does not recommend using Interactive Challenges.
+For more on why Cloudflare does not recommend using Interactive Challenge, in favor of Managed Challenge, refer to our [blog post](https://blog.cloudflare.com/end-cloudflare-captcha/).
+
+---
+
+## Detect a challenge page response
+
+When a request encounters a Cloudflare challenge page instead of the originally anticipated response, the challenge page response (regardless of the challenge page type) will have the `cf-mitigated` header present and set to `challenge`. This header can be leveraged to detect if a response was challenged when making fetch/XHR requests. This header provides a reliable way to identify whether a response is a challenge or not, enabling a web application to take appropriate action based on the result. For example, a front-end application encountering a response from the backend may check the presence of this header value to handle cases where challenge pages encountered unexpectedly.
+
+:::note
+Regardless of the requested resource-type, the content-type of a challenge will be `text/html`.
+:::
+
+For the `cf-mitigated` header, `challenge` is the only valid value. The header is set for all challenge page types.
+
+To illustrate, here is a JavaScript code snippet that demonstrates how to use the `cf-mitigated` header to detect whether a response was challenged:
+
+```js
+fetch("/my-api-endpoint").then((response) => {
+	if (response.headers.get("cf-mitigated") === "challenge") {
+		// Handle challenged response
+	} else {
+		// Process response as usual
+	}
+});
+```
+
+For additional help, refer to our [FAQ](/cloudflare-challenges/troubleshooting/frequently-asked-questions/).
+
+---
+
+## Resolve a challenge
+
+If a visitor encounters a challenge, Cloudflare employees cannot remove that challenge. Only the website owner can configure their Cloudflare settings to stop the challenge being presented.
+
+When observing a Cloudflare Challenge page, a visitor could:
+
+- Successfully pass the challenge to visit the website.
+- Request the website owner to allow their IP address.
+- Scan their computer for malicious programs (it may be infected).
+- Check their antivirus or firewall service to make sure it is not blocking access to the challenge resources (for example, images).
+
+:::note
+Visitors must enable JavaScript and cookies on their browser to be able to pass any type of challenge.
+:::
+
+---
+
+## Challenge Passage
+
+When a visitor solves a [Cloudflare challenge](/cloudflare-challenges/) - as part of a [WAF custom rule](/waf/custom-rules/) or [IP Access rule](/waf/tools/ip-access-rules/) - you can set the **Challenge Passage** to prevent them from having to solve future challenges for a specified period of time.
+
+### How it works
+
+When a visitor successfully solves a challenge, Cloudflare sets a [`cf_clearance` cookie](/fundamentals/reference/policies-compliances/cloudflare-cookies/#additional-cookies-used-by-the-challenge-platform) in their browser. This cookie specifies the duration your website is accessible to that visitor.
+
+When that visitor tries to access other parts of your website, Cloudflare evaluates the cookie before presenting another challenge. If the cookie is still valid, no challenges will be shown.
+
+When Cloudflare evaluates a `cf_clearance` cookie, a few extra minutes are included to account for clock skew. For XmlHTTP requests, an extra hour is added to the validation time to prevent breaking XmlHTTP requests for pages that set short lifetimes.
+
+### Customize the Challenge Passage
+
+By default, the `cf_clearance` cookie has a lifetime of 30 minutes. Cloudflare recommends a setting between 15 and 45 minutes.
+
+To update the Challenge Passage (and the value of the `cf_clearance` cookie):
+
+1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com).
+2. Select your account and domain.
+3. Go to **Security** > **Settings**.
+4. For **Challenge Passage**, select a duration.
+
+### Limitations
+
+The Challenge Passage does not apply to challenges issued by WAF managed rules. Also, Challenge Passage does not apply to rate limiting rules unless the rate limit is configured to issue a challenge.
+
+---
+
+## Additional configuration
+
+### Multi-language support
+
+Refer to [supported languages](/cloudflare-challenges/reference/supported-languages/) for more information.
+
+### Favicon customization
+
+Cloudflare challenges take the favicon of your website using `GET /favicon.ico` and displays it on the challenge page.
+
+You can customize your favicon by using the HTML snippet below.
+
+```html title="HTML element"
+<link rel="shortcut icon" href="<FAVICON_LINK>" />
+```

src/content/docs/cloudflare-challenges/challenge-types/index.mdx

@@ -0,0 +1,12 @@
+---
+pcx_content_type: navigation
+title: Challenge types
+sidebar:
+  order: 3
+  group: 
+    hideIndex: true
+---
+
+import { DirectoryListing } from "~/components"
+
+<DirectoryListing />

src/content/docs/cloudflare-challenges/challenge-types/javascript-detections.mdx

@@ -0,0 +1,7 @@
+---
+pcx_content_type: concept
+title: JavaScript detections
+external_link: /bots/additional-configurations/javascript-detections/
+sidebar:
+  order: 2
+---