So, a threat score 10 would be more restrict than the security high level.
Reading the following from the source you shared:
To prevent bot IPs from attacking a website, a new website owner might set a Medium or HighSecurity Level and lower Challenge Passage5 to 30 minutes to ensure that Cloudflare is constantly protecting the site
So, it is not browser/cookies dependent. it is IP dependent. So, for dynamic IPs and passage period longer than 1 day would not make sense. right ?
No. It would be less restrict. The only option that would be more restrict than a High security level is a I’m Under Attack security level.
Correct. There are other security products, such as Browser Integrity Check, minimum TLS version, etc that may be used to restrict on a non-IP basis.
It all depends on how quickly the dynamic IP changes. My former ISP would change my public IPv4 every other day. My current one does not change it for a long time, unless I reset the modem. A botnet attacking/probing your website may change IP at every request.
Since you can’t know, you’d have to think in terms of probabilities, as well as the general profile of your legit visitors. But then the Managed Challenge is not supposed to be solved by bots. I always assume that if a captcha is to be presented to a visitor, it will only be solved by legit visitors, and therefore I set my challenge passage to a very long time. However, I do have in place other behavior-based firewall rules to handle malicious bots with a block action, even if they manage to bypass the challenge.
I wouldn’t do that. A threat score is an automated ranking that is subject to many false positives. You should study your logs for what’s being requested and create rules that block based on behavior, not on IP addresses. For example:
URI Path contains .php
URI Path contains "../../"
This is just a generic example, you need to study your own website and the kind of malicious requests it gets and craft your own criteria for blocking.
I have the security level set at High (score greater than 0) for my admin area. But the main protection are the Zero Trust Access Policies that bar access to the backend without previous identity-based authentication.
@cbrandt Thanks for the helpful info.
regarding security level high, does it challenge any IP that visits the site for the first time ? or only if that IP has some bad history on other sites in the last 14 days ?