Do Workers have CAPTCHA challenges?

Hi, I’m looking into Cloudflare Workers and was wondering if CAPTCHA challenges also block suspicious Worker requests. If I want to develop a simple REST API using Workers then I can’t have CAPTCHA challenges block requests since this will not be possible to process by the API consumer.

So what I need to know is if CAPTCHA challenges are a thing with Cloudflare Workers and if so then I’d like to know if the can be completely disabled.

I’ve done distributed load at 50 000 req over 40 seconds, not a single one has got stuck in a captcha.

That said, it would be best if CF could answer this officially since I don’t know what the policy is.

Thanks for the info, if a Cloudflare employee could confirm this that would be awesome.

If you want you can turn security to “Essentially off” for those routes or the equivalent page rules. That will basically disable challenges.

You can also make a firewall rule to allow everyone within an IP range

That being sad, I’ve still heard of some extreme cases where cloudflare blocks/challenges bad actor ips regardless

I think this is actually a real problem. I have an image resizing worker that’s being challenge/blocked by a country-based Cloudflare firewall setting. I can understand Cloudflare protecting any request before it gets to the worker, but Cloudflare’s own workers should never be presented with a Cloudflare challenge page! Basically, Cloudflare should always implicitly trust its own edge servers.

Below is the error I get when my image resizing worker tries to access an image, when the request is made from a Cloudflare edge server located in a country for which I’ve requested a challenge page:

Could not fetch the image — the server returned HTTP error:
status: 502
statusText: Bad Gateway
headers: {}
redirected: false
webSocket: null

... in response to a request to

I cannot seem to get around this. Cloudflare workers are not allowed direct IP access to my origin server, and lifting all security for the origin image in page rules has not helped.

Any ideas?

Here is my worker code:

addEventListener("fetch", (event) => {
			(err) => new Response(err.stack, { status: 500 })

async function handleRequest(request) {

	const ORIGIN = ''; // origin of the images, with trailing slash

	// Parse request URL to get access to query string
	const url = new URL(request.url);

	const path = url.pathname;  // get path and file part of URL
	console.log('path: '+path);

	// Cloudflare-specific options are in the cf object.
	const options = { cf: { image: {} } };

	// Set defaults = 600;   // default to something not too monstrous = 'scale-down'; = 0.6; = 95; = '#FFFFFF';

	const imageURL = ORIGIN + 'images/sample.jpg';	// get origin server's full path to image, hardcoded here for simplicity

	// Build a request that passes through request headers,
	// so that automatic format negotiation can work.
	const imageRequest = new Request(imageURL, {
		headers: request.headers,

	// Returning fetch() with resizing options will pass through response with the resized image.
	let response = await fetch(imageRequest, options);

	// Reconstruct the Response object to make its headers mutable.
	response = new Response(response.body, response);

	if (response.ok || response.status == 304) {
			'public, max-age=0, immutable',

		// Set Vary header
		response.headers.set('Vary', 'Accept');

		return response;
	} else {
		return new Response(
			`Could not fetch the image — the server returned HTTP error:
status: ${response.status}
statusText: ${response.statusText}
headers: ${JSON.stringify(response.headers)}
redirected: ${response.redirected}
url: ${response.url}
webSocket: ${response.webSocket}

... in response to a request to ${imageURL}`,
				status: 400,
				headers: {
					'Cache-Control': 'no-cache',

Keep mind mind a user is given a challenge page when coming in from countries in my “suspicious” firewall list. However, even thought the user may meet and pass the challenge page, the worker then attempting to access the image is being blocked from the resource.


Although Cloudflare support could not reproduce this on their end, the workaround was to make a new firewall rule before my country challenge rule. This would look for a URI containing my origin image (“images/sample.jpg”) and set the action to “Allow”. My mistake was thinking that a page rule set to “Disable Security” would accomplish the same thing.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.