Learn under what circumstances Cloudflare displays a Captcha or a Managed Challenge to a visitor and how to resolve such issues.
There are several common reasons a Cloudflare-protected website displays a Captcha to a site visitor:
- The visitor’s IP address demonstrated previous suspicious activity online. Review your client IP address for malicious activity at Project Honeypot. If no suspicious activity is observed from the visitor’s IP address after a two-week period, Cloudflare stops challenging the IP address.
- The website owner blocked the country associated with the visitor’s client IP.
- The visitor’s actions activated a firewall rule enabled by the website owner.
Cloudflare employees cannot remove a Captcha. Only the website owner can configure their Cloudflare settings to stop the Captcha. When observing a Cloudflare Captcha page similar to the above, there are several possible approaches to resolve the issue:
- Request the website owner to allow the visitor’s IP address.
- The visitor’s computer is infected and requires an antivirus scan. Also, it is possible for an antivirus or firewall service on the client’s computer to block access to the Captcha image.
Managed Challenge help reduce the lifetimes of human time spent solving Captchas across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge from a set of rotating actions including:
- Show a non-interactive challenge page (similar to the current JS Challenge).
- Present an invisible proof of work challenge to the browser.
- Show a custom interactive challenge (such as click a button).
- Show a CAPTCHA challenge.
Currently, Managed Challenge action is available in the following security products:
- IP Access Rules
- User Agent Blocking
- Rate Limiting (previous version)
- Custom rules
- Rate limiting rules
- Bot Fight Mode - You may also see Firewall Events with an Action taken of Managed Challenge due to Cloudflare bot products.
- Firewall rules
- HTTP DDoS Attack Protection
Set the Challenge Passage
When Cloudflare evaluates a cf_clearance cookie, a few extra minutes are included to account for clock skew. For XmlHTTP requests, an extra hour is added to the validation time to prevent breaking XmlHTTP requests for pages that set short lifetimes.
Challenge Passage controls the cf_clearance cookie and is managed in Security > Settings. A visitor is issued a new challenge when the configured Challenge Passage time expires.
The Challenge Passage does not apply to challenges issued by WAF managed rules. Also, Challenge Passage does not apply to rate limiting rules unless the rate limit is configured to issue a challenge.
When your application sends a challenge, your visitors either receive a non-interactive challenge page or a CAPTCHA.
Challenges are not supported by Microsoft Internet Explorer. If you are currently using Internet Explorer, try using another major web browser (Chrome, Safari, Firefox).
If you are already using a major web browser, make sure it is using the latest version.
If your visitors are using an up-to-date version of a major browser — such as Chrome, Firefox, Safari, Microsoft Edge, Chrome and Safari on mobile — they will receive the challenge correctly.
Challenges are not supported by Microsoft Internet Explorer.
If your visitors encounter issues using a major browser besides Internet Explorer, they should upgrade their browser.