What do the CloudFlare CAPTCHA and Challenge pages look like for users?

I tried setting up a challenge for my own IP address and this is what I got:

Cloudflare Firewall Challenge Captcha

Another test shows sometimes the Google reCAPTCHA system is used:

Google reCAPTCHA from CloudFlare

That appears to be the default challenge page, but if you are using a paid plan there are options to customize the following error pages:

  • IP/Country Block
  • WAF Block
  • 500 Class Errors
  • Enable Origin Error Pages
  • 1000 Class Errors
  • Always Online™ Error
  • Basic Security Challenge
  • WAF Challenge
  • Country Challenge
  • I'm Under Attack Mode™ Challenge

In the firewall section you can also change how often the CAPTCHA will appear (from 5 minutes up to 1 year).

Also it appears that the CAPTCHA response is saved per domain (likely using a cookie), and completing a challenge will allow access to that domain and all sub-domains. Also the challenge page is displayed to the user with a 403 Forbidden response code which can cause issues with javascript/css if you load those from another domain behind Cloudflare and that domain is included in the challenge with no way to complete the CAPTCHA.

Also I just found out that the CAPTCHA challenge can change for IPs with higher threat scores or JavaScript/cookies disabled:

@wiretapped The captchas are from Google's reCaptcha. The higher the threat score with the IP = a harder challenge page.

This may or may not occur with IP bans, but here is an example from tor accessing stackoverflow.com with noscript blocking JavaScript:

CloudFlare Tor High Threat CAPTCHA with JavaScript disabled


Recently CloudFlare added another option to their Firewall section called JavaScript Challenge, which will display a loading page with three animated dots for up to 5 seconds:

CloudFlare JavaScript Challenge

It appears to also use cookies to save the results and allow future access without re-testing.