Sercuity Level Challenge Page

I migrated my first (of many) domains to Cloudflare and I like a lot of what I see it can do. However:

Can someone explain to me what this challenge page is, how it works, when it activates, etc. (Security Settings, security level, medium)

Security Level

Adjust your website’s Security Level to determine which visitors will receive a challenge page.

Apparently I can’t disable it. I don’t ever want a user to get a captcha or similar just to view my website (which is hosted outside cloudflare).

If this a possibility, I might have to look elsewhere for a different registrar.

Basically this documentation provides you what you need to know: Security Level · Cloudflare Web Application Firewall (WAF) docs, it’s like a IP reputation system. You may change the setting to Essentially Off, if you wish.

If you notice any traffic challenged by Security Level even if you reduce the sensitivity (i.e. set to Essentially Off), then it’s very likely that the IP address belongs to malicious actors, which makes sense to issue a challenge to them.

1 Like

Thanks for the feedback. I’ve read this page. Unfortuately only enterprise customers can turn it off. It also doesn’t describe how a “threat level” score is defined. What about client’s that use a shared networks, even up stream. Can one ip on a /24 or /16 prevent other clients from getting to my page.

Technically how does it work. If cloudflare is only providing DNS resolution, if they get a dns request, score it negatively, do they resolve they query to their challenge page?

Do I get prompt activity notifications? What if I know the address is legit, can I override their challenge system?

Unfortunately only the most premium paying customers can adjust this setting. For the benefits they provide, I have no issue paying for a plan, Pro=$20, easy, Biz=$200, tougher to justify, Enterprise=$$$$$, not fiscally feasible. And it’s the later where you can turn it off.

I can’t risk my business pages being blocked and have no control to adjust it.

Best explanation I’ve seen for those settings on is the documentation
Security Level · Cloudflare Web Application Firewall (WAF) docs

From the docs:
IP reputation is calculated based on Project HoneypotOpen external link, external public IP information, as well as internal threat intelligence from our WAF managed rules and DDoS.

Security Level Threat Scores Description
Off (Enterprise customers only) N/A Does not challenge IP addresses.
Essentially off greater than 49 Only challenges IP addresses with the worst reputation.
Low greater than 24 Challenges only the most threatening visitors.
Medium greater than 14 Challenges both moderate threat visitors and the most threatening visitors.
High greater than 0 Challenges all visitors that exhibit threatening behavior within the last 14 days.
I’m Under Attack! N/A Only for use if your website is currently under a DDoS attack.

You can set it to essentially off to challenge only the worst of the worst.

Those setting have nothing to do with your domain registrar, if you move to another registrar and use cloudflare that setting will remain.

1 Like

Thanks Cloonan,

I guess I’m looking for a deeper dive into the specifications. As a “free” member, only the community pages are available for support. I still ponder mis-clasifications. Suppose a NAT sitting infront of a /16 or /8 has a DDOS client behind it (or something less intrusive) (active now, or in the past). That could impact non-problematic clients from reaching my site.

I use cloudflare for DoH for clients. I’ve never used them as a registrar. I self-host the web server on a third party VPS. I migrated one domain name and found all these add-ons by chance. It troubles me I can’t “choose” to not use it and have little to no understanding on how it’s implemented, activated, managed, and allow exemptions.

They require you use their DNS (which is fine) and they have all these benefits (caching, acceleration(s), etc). I bumped into this. Up front its a great value-add, but your ability to change it is based on your pricing tier. off=enterprise only. So there is “some” risk a client couldn’t reach my site.

I have no clue what the end user experience looks like. I’ll check youtube to see if someone has documented the experience. Your links to the honeypot and WAF rules is appreciated.


In addition to the in-built dash settings, you can create IP access rules to allow or block traffic based on visitor’s IP address, country, or Autonomous System Number (ASN).

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.