Force Captcha to appear on a specific page


I am using it with the Under Attack mode so all requests pass first by a JS Challenge.

Now, I would like also to show a Captcha (similar to Google Recaptcha for example) on specific pages: /registration for example.

I tried to create a firewall rule with the URI /registration that actions Legacy Captcha . But it is not working for two reasons:

  1. the user can access it directly if he already pass first the JS Challenge, thrown by the Under Attack Mode
  2. when he access directly the URI, he is shown a Cloudflare page different that the JS Challenge, but NO captcha is shown. It seems similar to the JS Challenge (automatically completed).

I need a Captcha similar to reCaptcha/hCaptcha ( because I am facing users using real browsers but with browsers extensions that automate actions (and act like bots).


Thank you for asking.

Are you trying to add a “captcha” to the /registration URL when someone visits it, or rather to have the captcha on the form for the registration on the /registration URL?

I could wrongly understood what you want to achieve, if so I sorry for that.

I would rather us Managed Challenge in your case.

Yes, that’s it!

I want to force the apparition of a captcha similar to reCaptcha/hCaptcha ( when the user go to this page, even if he already passed the JS Challenge.

It is because I am facing users using real browsers with js extension that automate some actions.

May I ask what option have you selected from the dropdown menu of the Challenge Passage option at Cloudflare dashboard for your domain name under the Firewall → Settings tab?
Try setting it to the lower - 5 minutes.

What comes to my mind, instead of using Firewall Rule, you could try to use Cloudflare Page Rules :thinking:

Therefore, create one for* and pick the Security Level option and select “I am under an attack!”.

Nevertheless, I would also try to configure a Rate Limiting rule for this specific URL, like for example:

  • if more than 10 requests to this URL from the same IP in a minute or 10 minutes, block it.

You can set Rate Limiting by navigating to the Firewall → Tools tab → section “Rate Limiting”.

Ouch, true, I am sorry to hear you are also experiencing them :slightly_frowning_face:

I believe my colleague @jnperamo could add a few valuable notes and provide information about this here as far as he is more experienced than me with this kind of “users” (read: bots).

1 Like

I believe that this is the way the system is currently designed; I don’t think it’s made to support challenges on top of each other; you will have to choose between captcha or js challenge (you would need to disable UAM).

Weird, I haven’t seen this yet.

Those bots are quite problematic; some of the customers I manage sites have similar problems. Captcha isn’t a long-term solution because some browser extensions can solve any captcha presented to them.
Bot management could help; however, we’d be entering the enterprise world where things get very expensive.

Finally, be advised that to force captcha, you will need a paid package.

1 Like

Maybe you are referring to the Browser Integrity Check option, if enabled at the Cloudflare Dashboard → Firewall → Settings, or if Bot Fight Mode option is enabled at Firewall → Bots? :thinking:

It was 4 hours. If I change it to 5 mins, it doesn’t really change anything since they are bots using real browsers (ex : js extension).

Yes, after tooling a lot with Cloudflare I also believe that it is the way the system is designed.

Got it. But I also understand that even with a paid package, challenges cannot work on top of each other (eg. js challenge for all the defaults pages, then reCaptcha for registration page).
I also believe that it is not possible to automate the appareance of a Captcha (of type reCaptcha) on a specific page with Cloudflare.

No. I believe that “Managed challenge”/“Captcha Legacy” just shows older version of the “JS Challenge” :

Let me know if you have any idea.

That’s right

This one is possible, the action is called Legacy Captcha now. You can’t choose your captcha provider though. It would be great if Cloudflare supported multiple Captcha vendors.

It shows whatever the system is better for the type of visitor. You have to trust Cloudflare system “smartness” to deliver the right challenge (JS or Captcha).
The idea is to reduce the friction with legitimate visitors.

I can confirm you that Legacy Captcha shows the following page:

As you can see, it is “checking your browser” so if the bot is using a real browser, it won’t block it.

Here is my firewall rule:

I also disabled the UAM mode so there is no captcha taking over the “legacy captcha”.

Am I doing something wrong?

Not at first glance. Are you entirely sure no other rule is overriding the captcha? If so, can you make a ticket asking if this is the expected behavior? Let us know the ticket # once you have it.

Yeah that’s not good at all :sweat_smile:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.