The Security Level uses the IP reputation of a visitor to decide whether to present a CAPTCHA Challenge Page. Once the visitor enters the correct CAPTCHA, they continue to the appropriate page. By default, Cloudflare sets the Security Level to medium. A Cloudflare internal algorithm calculates an IP's reputation and assigns a threat score that ranges from 0 to 100. The security levels and the challenge display criteria:
- High - for scores greater than 0
- Medium - for scores greater than 14
- Low - for scores greater than 24
- Essentially Off - for scores greater than 49
To change your security settings, click the Firewall app in your Cloudflare Dashboard.
Cloudflare recommends starting at a medium security level (the default setting) to adequately protect your site.
I'm Under Attack Mode should only be used when a site is under a DDoS attack. Visitors will receive an interstitial page for about five seconds while Cloudflare analyzes the traffic and behavior to make sure it is a legitimate human visitor trying to access your website. I'm Under Attack Mode may affect some actions on your domain, such as using an API. You're able to set a custom security level for your API or any other part of your domain by creating a page rule for that section.