Threat score VS security level high

to add security to a certain page, will challenging threat score greater than 10, add security if the security level in global settings is set to high?

only in one source i read that,

  • High – Threat scores greater than 0 will be challenged.
  • Medium – Threat scores greater than 14 will be challenged.
  • Low – Threat scores greater than 24 will be challenged.
  • Essentially off – Threat scores greater than 49 will be challenged.

are these scores correct? what score to use to have more restrict security than the high level?

Yes. Security Level · Cloudflare Web Application Firewall (WAF) docs

More strict would be the I’m Under Attack level, which will challenge every request.


So, a threat score 10 would be more restrict than the security high level.

Reading the following from the source you shared:
To prevent bot IPs from attacking a website, a new website owner might set a Medium or High Security Level and lower Challenge Passage 5 to 30 minutes to ensure that Cloudflare is constantly protecting the site

So, it is not browser/cookies dependent. it is IP dependent. So, for dynamic IPs and passage period longer than 1 day would not make sense. right ?

No. It would be less restrict. The only option that would be more restrict than a High security level is a I’m Under Attack security level.

Correct. There are other security products, such as Browser Integrity Check, minimum TLS version, etc that may be used to restrict on a non-IP basis.

It all depends on how quickly the dynamic IP changes. My former ISP would change my public IPv4 every other day. My current one does not change it for a long time, unless I reset the modem. A botnet attacking/probing your website may change IP at every request.

Since you can’t know, you’d have to think in terms of probabilities, as well as the general profile of your legit visitors. But then the Managed Challenge is not supposed to be solved by bots. I always assume that if a captcha is to be presented to a visitor, it will only be solved by legit visitors, and therefore I set my challenge passage to a very long time. However, I do have in place other behavior-based firewall rules to handle malicious bots with a block action, even if they manage to bypass the challenge.

1 Like

got it. So, it will only add security if the FW is to block score higher than 10 to that certain page.

From your experience, would you use score 5 to protect an admin panel ? or 10 is good

I wouldn’t do that. A threat score is an automated ranking that is subject to many false positives. You should study your logs for what’s being requested and create rules that block based on behavior, not on IP addresses. For example:

URI Path contains .php 
URI Path contains "../../"
then Block

This is just a generic example, you need to study your own website and the kind of malicious requests it gets and craft your own criteria for blocking.

I have the security level set at High (score greater than 0) for my admin area. But the main protection are the Zero Trust Access Policies that bar access to the backend without previous identity-based authentication.

1 Like

@cbrandt Thanks for the helpful info.
regarding security level high, does it challenge any IP that visits the site for the first time ? or only if that IP has some bad history on other sites in the last 14 days ?

The link I posted above tiled Understanding the Cloudflare Security Level explains it all.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.