Cloudflare Challenge
and CapMonster Cloud

Captcha solving, website installation, and testing.

Inherited a site with a captcha or another protection layer but no access to the source code? In that case you naturally ask: which solution is installed, is it configured correctly, and how can the workflow be tested?

In this article, we have tried to answer all the key questions. The first step in solving the task is to determine which protection system is being used. To do this, you can refer to the list of popular captchas and anti-bot protection systems, where you will find visual examples and key indicators that help you quickly understand what you are dealing with.

If you discover that your site uses Cloudflare Challenge, the next step is to study its properties and operation in more detail. In this article, you can also review the instructions on how to integrate Cloudflare Challenge so that you fully understand how it functions on your site. This will help you not only understand the current protection, but also properly plan its maintenance.

What is Cloudflare Challenge

Cloudflare Challenge (or Interstitial Challenge Pages) is a verification system by Cloudflare designed to protect websites from bots, spam, and malicious traffic. When Cloudflare suspects that a request is not from a real visitor (for example, due to a suspicious IP or missing JavaScript), it presents a Challenge — a 'test' that must be passed to confirm you are human. This type of verification differs from Turnstile because users first see an interstitial page with the message “Just a moment…” and “Verifying you are human. This may take a few seconds.”

How to Solve Cloudflare Challenge with CapMonster Cloud

When testing protection with the Cloudflare Challenge, it is important to ensure that the verification works correctly and properly filters out suspicious traffic.

You can manually test the challenge installed on your page:

Open the page in incognito mode where the Challenge is expected and ensure that the captcha is displayed.
Try inserting incorrect cf_clearance cookies in the browser (see details below) — the server should return an error.
After successfully solving the captcha, the actual website page should open without verification.

For automated testing and captcha recognition, you can use specialized services such as CapMonster Cloud — a tool that takes captcha parameters, processes them on its servers, and returns a ready-made solution. This solution (token or cookie) can be inserted into a form or browser to pass the verification without user interaction.

Working with CapMonster Cloud via API typically involves the following steps:

Creating a task

At this stage, you pass your API key, captcha type, and its parameters. The service returns a unique taskId, which can be used later to get the result.

Sending an API request

The following parameters must be specified in the request to solve the Cloudflare Challenge:

type - TurnstileTask

websiteURL - URL of the page where the captcha is being solved

websiteKey - Turnstile key (any string can be passed)

cloudflareTaskType - cf_clearance

htmlPageBase64 - The Base64-encoded “Just a moment” HTML page that is returned with a 403 status code when accessing a site protected by this mechanism.

userAgent - Browser User-Agent. Pass only the current UA from Windows OS.

You also need to use your own proxies for this task:

proxyType :

http – regular HTTP/HTTPS proxy;
https – try this if “http” does not work (required for some custom proxies);
socks4 – SOCKS4 proxy;
socks5 – SOCKS5 proxy.

proxyAddress - Proxy IP address (IPv4/IPv6).

proxyPort - Proxy port.

proxyLogin - Proxy username.

proxyPassword - Proxy password.

Find more details about the parameters and how to gather them automatically before sending a task in the CapMonster Cloud documentation.

Endpoint for sending the task:

https://api.capmonster.cloud/createTask

Request example:

{
  "clientKey":"API_KEY",
  "task": {
	"type":"TurnstileTask",
	"websiteURL":"https://example.com",
	"websiteKey":"xxxxxxxxxx",
	"cloudflareTaskType": "cf_clearance",
	"htmlPageBase64": "PCFET0NUWVBFIGh0...vYm9keT48L2h0bWw+",
	"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36",
	"proxyType":"http",
	"proxyAddress":"8.8.8.8",
	"proxyPort":8080,
	"proxyLogin":"proxyLoginHere",
	"proxyPassword":"proxyPasswordHere"
  }
}

Response:

{
  "errorId":0,
  "taskId":407533072
}

Receiving the result

After creating the task, poll the solution status.

Address to receive the result:

https://api.capmonster.cloud/getTaskResult

Request example:

{
  "clientKey":"API_KEY",
  "taskId": 407533072
}

Response:

{
  "errorId": 0,
  "status": "ready",
  "solution": {
    "cf_clearance": "1tarGvbY2_ZhQdYxpSBloao.FoOn9VtcJtmb_IQ_hCE-1761217338-1.2.1.1-vyVPoLYIGX0VCJomVuLjF7n0kdM0PXaPjpDsRcohxGr7hb2CE7WfcHpmQZ70goqEjdWxPsDhSVaKNTz9opxWguiNdWEEq_.SceWXIqfP7tnEb69f3bP0mixNqcWy_5P_9INpoAEqr1k7aYU0r45PT4gPr5pwHxedVySyLRdoBXIJasdTE52YOQ3NPdGWTwQ_3h2n_wYqqIvf0kCSAvimRrmsgZxomlyejwqPI6ZHi.w"
  }
}

Inserting cf_clearance

The obtained solution (cookie cf_clearance) can be set in the browser or sent with an HTTP request using the header Cookie: cf_clearance=<value>. For automation, tools like Puppeteer, Selenium, or Playwright are convenient to simulate user actions, insert cookies, and submit forms.

Recognizing Cloudflare Challenge Using Ready-Made Libraries

CapMonster Cloud provides ready-made libraries for Python, JavaScript (Node.js), and C#.

Python

JavaScript

Solving Challenge and Inserting Cookie

Node.js example for the full cycle of captcha recognition on your website. Approaches: use HTTP requests to get HTML and protection parameters, send the response and process the result. Or with automation tools (like Playwright) — open the page, wait for verification, send parameters through CapMonster Cloud, get the result, insert the cookie into the browser (for testing, you can use correct or incorrect values), and see the result.


  // npm install playwright @zennolab_com/capmonstercloud-client
// npx playwright install chromium

import { chromium } from 'playwright';
import {
  CapMonsterCloudClientFactory,
  ClientOptions,
  TurnstileRequest
} from '@zennolab_com/capmonstercloud-client';

// Settings — replace with your own
const API_KEY = 'YOUR_API_KEY';
const TARGET_URL = 'https://www.example.com';
const SITE_KEY = 'xxxxx'; // any string is allowed
const USER_AGENT = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36';

// Proxy settings
const proxy = {
  proxyType: 'http',
  proxyAddress: '8.8.8.8',
  proxyPort: 8080,
  proxyLogin: 'proxyLogin',
  proxyPassword: 'proxyPassword'
};

async function main() {

  const cmcClient = CapMonsterCloudClientFactory.Create(
    new ClientOptions({ clientKey: API_KEY })
  );

  // Launch browser
  const browser = await chromium.launch({
    headless: false,
    proxy: proxy.proxyAddress ? {
      server: `${proxy.proxyType}://${proxy.proxyAddress}:${proxy.proxyPort}`,
      username: proxy.proxyLogin,
      password: proxy.proxyPassword
    } : undefined
  });

  // Create context with required User-Agent and window size (optional)
  const context = await browser.newContext({ userAgent: USER_AGENT, viewport: { width: 1280, height: 800 } });

  // Create page and load target URL
  const page = await context.newPage();
  const resp = await page.goto(TARGET_URL, { waitUntil: 'domcontentloaded', timeout: 60000 });
  console.log('Initial request status:', resp?.status());

  // Get page HTML and convert to Base64 for CapMonster
  const htmlBase64 = Buffer.from(await page.content(), 'utf-8').toString('base64');

  // Create Turnstile task to get cf_clearance
  const solveResult = await cmcClient.Solve(new TurnstileRequest({
    websiteURL: TARGET_URL,
    websiteKey: SITE_KEY,
    cloudflareTaskType: 'cf_clearance',
    htmlPageBase64: htmlBase64,
    userAgent: USER_AGENT,
    proxy: proxy.proxyAddress ? proxy : undefined
  }));

  const cf_clearance = solveResult?.solution?.cf_clearance;
  if (!cf_clearance) {
    console.error('Failed to get cf_clearance from CapMonster:', solveResult);
    await browser.close();
    return;
  }
  console.log('cf_clearance obtained:', cf_clearance);

  // Add cf_clearance cookie to browser context
  await context.addCookies([{
    name: 'cf_clearance',
    value: cf_clearance,
    domain: '.' + new URL(TARGET_URL).hostname,
    path: '/',
    httpOnly: true,
    secure: true
  }]);
  console.log('Cookie cf_clearance successfully added to browser.');

  // Reload page with cf_clearance set
  const page2 = await context.newPage();
  const resp2 = await page2.goto(TARGET_URL, { waitUntil: 'domcontentloaded', timeout: 60000 });
  console.log('Request status after setting cf_clearance:', resp2?.status());

  await browser.close();
  console.log('Script finished.');
}

main().catch(err => {
  console.error('An error occurred:', err);
  process.exit(1);
});

There is also an option to test captcha recognition using the CapMonster Cloud browser extension, which allows you to quickly check the captcha workflow directly on the page and track the solving process in real time without writing code – available for Chrome and Firefox.

How to Connect Cloudflare Challenge to Your Website

To confidently understand captcha on your site, its verification logic, and to reconnect or reconfigure, we recommend this section. It explains the protection setup process — helping you quickly grasp all nuances.

1. Register or log in and connect your domain to Cloudflare.

2. Enable Challenge via WAF Rule.

Navigate to: Security → Custom Rules → Create rule

More information is available here.

Example condition (check the entire login page):

http.request.uri.path contains "/login"

3. Choose an action:

Managed Challenge (recommended) — the system decides automatically whether to show a challenge and which type.

You can also choose Interactive Challenge, Skip, Block, or JavaScript Challenge. Learn more about the verification types in the documentation and decide which type is most convenient for you.

Set other required options and click Deploy.

After verification, the user receives a cf_clearance cookie allowing repeated access from the same device/browser without a Challenge.

Also, if you need to integrate the Turnstile widget on your site, you can check out the following article. Cloudflare Turnstile allows visitors to pass bot verification without using image captchas or complex tasks, while issuing a token that confirms the user is human.

Possible errors and debugging

Incorrect domain or rule configuration

Challenge is not displayed. Check that the WAF rule is assigned to the correct URI, path, or host.

Page or challenge load timeout

Browser or client did not wait for Cloudflare’s response. Increase timeouts in tests and monitoring.

Repeated check or expired cf_clearance

If a visitor uses an expired cf_clearance, the system will show the Challenge again.

Another verification follows the Challenge

Simultaneous use of Challenge + custom rules may lead to looped verifications. Follow Cloudflare recommendations to resolve.

Protection resilience checks

Try requesting the page without cf_clearance — the Challenge should trigger.

Test repeated access with an already set cf_clearance — the visitor should bypass additional checks at the same or lower level.

Conduct load testing (e.g., with k6 or JMeter) at high request rates — the Challenge should display correctly and WAF remain stable.

Check server response for expired or incorrect cookies. Expected: a repeated Challenge.

Security and optimization tips

Configure WAF rules and Managed/JS/Interactive Challenge according to risk level.

Configure WAF rules and Managed/JS/Interactive Challenge according to risk level.

Log security events and challenge passing status to understand block reasons and identify false positives.

Log security events and challenge passing status to understand block reasons and identify false positives.

For transparency and compliance, add links to <b>Privacy Policy</b> and <b>Terms of Use</b> of Cloudflare/site on pages with Challenge.

For transparency and compliance, add links to Privacy Policy and Terms of Use of Cloudflare/site on pages with Challenge.

Conclusion

If you’ve taken over a website that already has a captcha or another protection system installed, but you don’t have access to the code, don’t worry! It’s quite easy to identify which technology is being used. To verify that everything works correctly, you can use the CapMonster Cloud recognition service in an isolated test environment to make sure that the token processing mechanism and the validation logic are functioning properly.

In the case of Cloudflare Challenge, it’s enough to detect the system, observe its behavior, and confirm that the protection is working correctly. In this article, we showed how to identify Cloudflare Challenge and where to find instructions on how to integrate or reconfigure it, so you can confidently maintain the protection and keep its operation under control.

Helpful links

Cloudflare Challenge Documentation →

CapMonster Cloud Documentation (Cloudflare Challenge) →

What is Cloudflare CAPTCHA and how to solve it with CapMonster Cloud →

How Cloudflare detects automated traffic: protecting your site from bots →

The CapMonster Cloud browser extension is available for Chrome and Firefox. Full installation and usage instructions are available here.

Cloudflare Challenge and CapMonster Cloud

How to Solve Cloudflare Challenge with CapMonster Cloud

Cloudflare Challenge
and CapMonster Cloud