Learn under what circumstances Cloudflare displays a Captcha to a visitor and how to resolve such issues.
Overview
There are several common reasons a Cloudflare-protected website displays a Captcha to a site visitor:
- The visitor’s IP address demonstrated previous suspicious activity online. Review your client IP address for malicious activity at Project Honeypot. If no suspicious activity is observed from the visitor’s IP address after a two-week period, Cloudflare stops challenging the IP address.
- The website owner blocked the country associated with the visitor’s client IP.
- The visitor’s actions activated a Web Application Firewall rule enabled by the website owner.
Cloudflare employees cannot remove a Captcha. Only the website owner can configure their Cloudflare settings to stop the Captcha. When observing a Cloudflare Captcha page similar to the above, there are several possible approaches to resolve the issue:
- Successfully pass the Captcha to visit the website. Cookies and JavaScript support are required in browser settings to pass the captcha.
- Request the website owner to allow the visitor’s IP address.
- The visitor’s computer is infected and requires an antivirus scan. Also, it is possible for an antivirus or firewall service on the client’s computer to block access to the Captcha image.
Managed Challenge
Managed Challenge help reduce the lifetimes of human time spent solving Captchas across the Internet. Depending on the characteristics of a request, Cloudflare will perform the following actions:
- Show a non-interactive challenge page (similar to the current JS Challenge)
- Show a Captcha
Currently, Managed Challenge action is available in the following security products:
- Rate Limiting
- Firewall Rules - If you are a free customer, any Firewall Rules set to Challenge (Captcha) have become intelligent Managed Challenge. As a free customer, you cannot opt out of Managed Challenge.
- IP Access Rules - Managed Challenge action is available to customers on all plans using IP Access Rules. Customers can configure their existing or new rules in IP Access Rules to use Managed Challenge (instead of Captcha)
- Bot Fight Mode or Super Bot Fight Mode - You may also see Firewall Events with an Action taken of Managed Challenge due to Cloudflare bot products.
Set the Challenge Passage
When a Cloudflare CAPTCHA or Javascript challenge is solved such as for a Firewall Rule or IP Access Rule, a cf_clearance cookie is set in the client browser. cf_clearance specifies the duration your website is accessible to a visitor that successfully completed a previous Captcha or JavaScript challenge. The cf_clearance cookie has a default lifetime of 30 minutes. Cloudflare recommends a setting between 15 and 45 minutes.
When Cloudflare evaluates a cf_clearance cookie, a few extra minutes are included to account for clock skew. For XmlHTTP requests, an extra hour is added to the validation time to prevent breaking XmlHTTP requests for pages that set short lifetimes.
Challenge Passage controls the cf_clearance cookie and is managed via the Settings tab of the Cloudflare Firewall app. A visitor is issued a new challenge when the configured Challenge Passage time expires.
The Challenge Passage does not apply to challenges issued by the Web Application Firewall (WAF). Also, Challenge Passage does not apply to Rate Limiting unless the rate limit is configured to issue a challenge.