What do the CloudFlare CAPTCHA and Challenge pages look like for users?
Solution 1
I tried setting up a challenge for my own IP address and this is what I got:
Another test shows sometimes the Google reCAPTCHA system is used:
That appears to be the default challenge page, but if you are using a paid plan there are options to customize the following error pages:
- IP/Country Block
- WAF Block
- 500 Class Errors
- Enable Origin Error Pages
- 1000 Class Errors
- Always Online™ Error
- Basic Security Challenge
- WAF Challenge
- Country Challenge
- I'm Under Attack Mode™ Challenge
In the firewall section you can also change how often the CAPTCHA will appear (from 5 minutes up to 1 year).
Also it appears that the CAPTCHA response is saved per domain (likely using a cookie), and completing a challenge will allow access to that domain and all sub-domains. Also the challenge page is displayed to the user with a 403 Forbidden response code which can cause issues with javascript/css if you load those from another domain behind Cloudflare and that domain is included in the challenge with no way to complete the CAPTCHA.
Also I just found out that the CAPTCHA challenge can change for IPs with higher threat scores or JavaScript/cookies disabled:
@wiretapped The captchas are from Google's reCaptcha. The higher the threat score with the IP = a harder challenge page.
This may or may not occur with IP bans, but here is an example from tor accessing stackoverflow.com with noscript blocking JavaScript:
Solution 2
Recently CloudFlare added another option to their Firewall section called JavaScript Challenge, which will display a loading page with three animated dots for up to 5 seconds:
It appears to also use cookies to save the results and allow future access without re-testing.
Solution 3
Cloudflare switched from Google ReCAPTCHA to hcaptcha.
https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/
There is a picture of what it looks like at the bottom of the cloudflare blog link.
Greg Bray
Google Cloud Engineer, Retail Select Team Formerly: SRE for reddit.com, Torbit Edge Platform/CDN team @WalmartLabs, Site Reliability Engineer at Stack Overflow, Software Engineer at 3M HIS/Caradigm/GE Healthcare Twitter: @GBrayUT CodeBlog: http://codeblog.theg2.net Blog: http://blog.theg2.net About Me: http://theg2.net Resume: https://stackoverflow.com/cv/gregbray
Updated on June 14, 2022Comments
-
Greg Bray almost 2 years
In the CloudFlare Web Application Firewall you are able to block, whitelist, CAPTCHA, or JavaScript Challenge traffic based on IP address, country name, or ASN. The only note provided on the CAPTCHA section is:
If you are unsure whether suspicious web visitor behavior is illegitimate traffic, you can set up a challenge page. This page asks visitors to submit a CAPTCHA successfully to continue their action. If the web visitor fails the challenge, they will be blocked from your website.
What do the CAPTCHA and challenge pages looks like?