Understanding Cloudflare Captcha

Learn under what circumstances Cloudflare displays a Captcha to a visitor and how to resolve such issues.


Overview

There are several common reasons a Cloudflare-protected website displays a Captcha to a site visitor:

  1. The visitor’s IP address demonstrated previous suspicious activity online.  Review your client IP address for malicious activity at Project Honeypot.  If no suspicious activity is observed from the visitor’s IP address after a two-week period, Cloudflare stops challenging the IP address.
  2. The website owner blocked the country associated with the visitor’s client IP.
  3. The visitor’s actions activated a Web Application Firewall rule enabled by the website owner.

An example Captcha page is similar to the following:

screenshot of a captcha challenge

Cloudflare employees cannot remove a Captcha.  Only the website owner can configure their Cloudflare settings to stop the Captcha.  When observing a Cloudflare Captcha page similar to the above, there are several possible approaches to resolve the issue:

  1. Successfully pass the Captcha to visit the website.  Cookies and JavaScript support are required in browser settings to pass the captcha.  
  2. Request the website owner to whitelist the visitor’s IP address. 
  3. The visitor’s computer is infected and requires an antivirus scan.  Also, it is possible for an antivirus or firewall service on the client’s computer to block access to the Captcha image.


Set the Challenge Passage

Challenge Passage is managed via the Settings tab of the Cloudflare Firewall app and specifies the length of time your website is accessible to a visitor that successfully completed a previous Captcha or JavaScript challenge.  A visitor is issued a new challenge when the configured Challenge Passage time expires. Cloudflare recommends a setting between 15 and 45 minutes.  

The Challenge Passage does not apply to challenges issued by the Web Application Firewall (WAF).  Also, Challenge Passage does not apply to Rate Limiting unless the rate limit is configured to issue a challenge.


Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk