How Challenges work
Challenges can be issued in three primary ways depending on which Cloudflare products or features are in use. Each method is designed to balance security with seamless visitor experience.
| Product | Challenge type(s) |
|---|---|
| WAF (custom rules, rate limiting rules, IP access rules) | Interstitial Challenge Page |
| Bot Management | JavaScript detection |
| Bot Fight Mode, Super Bot Fight Mode | Interstitial Challenge Page |
| Turnstile | Embedded widget |
| HTTP DDoS attack protection | Any Challenge |
| Under Attack Mode | Managed Challenge |
Challenge Pages and Turnstile rely on the same underlying mechanism to issue Challenges to your website or application's visitors.
JavaScript detections support Cloudflare's Enterprise Bot Management. While it still relies on client-side detections, JavaScript detections function using a more performant challenge logic than Challenge Pages or Turnstile.
Refer to the following pages for more information on the different challenge types:
Cloudflare Challenges cannot support the following:
- Browser extensions that modify the browser's
User-Agentvalue or Web APIs such asCanvasandWebGL. - Implementations where a domain serves a challenge page originally requested for another domain.
- Challenge Pages cannot be embedded in cross-origin iframes.
- Client software where the solve request of a Managed Challenge comes from a different IP than the original IP a Challenge request was issued to. For example, if you receive the Challenge from one IP and solve it using another IP, the solve is not valid and you may encounter a Challenge loop.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark