What do the CloudFlare CAPTCHA and Challenge pages look like for users?
I tried setting up a challenge for my own IP address and this is what I got:
Another test shows sometimes the Google reCAPTCHA system is used:
That appears to be the default challenge page, but if you are using a paid plan there are options to customize the following error pages:
- IP/Country Block
- WAF Block
- 500 Class Errors
- Enable Origin Error Pages
- 1000 Class Errors
- Always Online™ Error
- Basic Security Challenge
- WAF Challenge
- Country Challenge
- I'm Under Attack Mode™ Challenge
In the firewall section you can also change how often the CAPTCHA will appear (from 5 minutes up to 1 year).
Also it appears that the CAPTCHA response is saved per domain (likely using a cookie), and completing a challenge will allow access to that domain and all sub-domains. Also the challenge page is displayed to the user with a 403 Forbidden response code which can cause issues with javascript/css if you load those from another domain behind Cloudflare and that domain is included in the challenge with no way to complete the CAPTCHA.
Also I just found out that the CAPTCHA challenge can change for IPs with higher threat scores or JavaScript/cookies disabled:
@wiretapped The captchas are from Google's reCaptcha. The higher the threat score with the IP = a harder challenge page.
This may or may not occur with IP bans, but here is an example from tor accessing stackoverflow.com with noscript blocking JavaScript:
Recently CloudFlare added another option to their Firewall section called JavaScript Challenge, which will display a loading page with three animated dots for up to 5 seconds:
It appears to also use cookies to save the results and allow future access without re-testing.