Cloudflare Waiting Room
and CapMonster Cloud

Captcha solving, website integration, and testing.

Inherited a site with a captcha or another protection layer but no access to the source code? In that case you naturally ask: which solution is installed, is it configured correctly, and how can the workflow be tested?

In this article, we have tried to answer all the key questions. The first step in solving the task is to determine which protection system is being used. To do this, you can refer to the list of popular captchas and anti-bot protection systems, where you will find visual examples and key indicators that help you quickly understand what you are dealing with.

If you discover that your site uses Cloudflare Waiting Room, the next step is to study its properties and operation in more detail. In this article, you can also review the instructions on how to integrate Cloudflare Waiting Room so that you fully understand how it functions on your site. This will help you not only understand the current protection, but also properly plan its maintenance.

What is Cloudflare Waiting Room

Cloudflare Waiting Room is a virtual queue that protects a website from overload during traffic spikes. If there are too many visitors, "excess" users are temporarily redirected to a waiting page, where they see their queue status and estimated entry time. As soon as a spot becomes available, they are automatically admitted to the site.

How to solve Waiting Room via CapMonster Cloud

When testing the Waiting Room mechanism, it is important to ensure that the queue functions correctly and regulates access to the site.

Here is how you can check this:

Open the page where the Waiting Room is enabled and ensure the queue appears when the user limit is exceeded.
Try accessing the site from multiple devices or browsers simultaneously to generate artificial load — some requests should be placed in the queue.
Verify that users placed in the queue see the waiting page and are then automatically admitted to the site when a spot becomes available.
Ensure that refreshing the page does not remove the user from the queue.

For automated testing and captcha recognition, you can use specialized services, such as CapMonster Cloud — a tool that accepts captcha parameters, processes them on its servers, and returns a ready-made solution. This solution (token or cookie) can be inserted into a form or browser to pass the verification without user interaction.

Working with CapMonster Cloud via API typically involves the following steps:

Creating a task

At this stage, you pass your API key, captcha type, and its parameters. The service returns a unique taskId, which can be used later to retrieve the result.

Sending an API request

The following parameters must be specified in the request to solve Cloudflare Waiting Room:

type - TurnstileTask;

websiteURL - URL of the page where the challenge is located;

websiteKey - Cloudflare key on the target site;

cloudflareTaskType - wait_room;

htmlPageBase64 - Base64 encoded HTML page containing the title <title>Waiting Room powered by Cloudflare</title>;

userAgent - Browser User-Agent. Pass only an up-to-date UA from Windows OS;

Also, for this task, you must use your own proxies:

proxyType :

http - standard HTTP/HTTPS proxy;
https - try this option if "http" does not work (required for some custom proxies);
socks4 - SOCKS4 proxy;
socks5 - SOCKS5 proxy;

proxyAddress - Proxy IPv4/IPv6 address;

proxyPort - Proxy port;

proxyLogin - Proxy server login;

proxyPassword - Proxy server password.

Find more details about the parameters and how to gather them automatically before sending a task in the CapMonster Cloud documentation.

Endpoint for sending the task:

https://api.capmonster.cloud/createTask

Request example:

{
  "clientKey":"API_KEY",
  "task": {
	"type":"TurnstileTask",
	"websiteURL":"https://example.com",
	"websiteKey":"xxxxxxxxxx",
	"cloudflareTaskType": "wait_room",
	"htmlPageBase64": "PCFET0NUWVBFIGh0...vYm9keT48L2h0bWw+",
	"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36",
	"proxyType":"http",
	"proxyAddress":"8.8.8.8",
	"proxyPort":8080,
	"proxyLogin":"proxyLoginHere",
	"proxyPassword":"proxyPasswordHere"
  }
}

Response:

{
  "errorId":0,
  "taskId":407533072
}

Receiving the result

After creating the task, poll the solution status.

Address to receive the result:

https://api.capmonster.cloud/getTaskResult

Request example:

{
  "clientKey":"API_KEY",
  "taskId": 407533072
}

Response:

{
  "errorId": 0,
  "status": "ready",
  "solution": {
    "cf_clearance": "1tarGvbY2_ZhQdYxpSBloao.FoOn9VtcJtmb_IQ_hCE-1761217338-1.2.1.1-vyVPoLYIGX0VCJomVuLjF7n0kdM0PXaPjpDsRcohxGr7hb2CE7WfcHpmQZ70goqEjdWxPsDhSVaKNTz9opxWguiNdWEEq_.SceWXIqfP7tnEb69f3bP0mixNqcWy_5P_9INpoAEqr1k7aYU0r45PT4gPr5pwHxedVySyLRdoBXIJasdTE52YOQ3NPdGWTwQ_3h2n_wYqqIvf0kCSAvimRrmsgZxomlyejwqPI6ZHi.w"
  }
}

cf_clearance substitution

The received solution (cookie cf_clearance) can be set in the browser or sent along with the HTTP request by specifying it in the Cookie: cf_clearance= header. For automation and testing, it is also convenient to use Puppeteer, Selenium, or Playwright, which allow you to emulate user actions, inject cookies, and submit forms.

Below is an example of a request to your page with pre-obtained cookie values. This is useful for testing: you can pass both correct and intentionally incorrect values to ensure your access processing and validation logic works correctly.

GET https://example.com/

sec-ch-ua: "Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-fetch-site: same-origin
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US
cookie: cf_clearance=Jf0udVxx.pxJMEHnish22ZOFt4WZEh8iLKm62gIxQAw-1760087570-1.2.1.1-IAO44jrcaDIU6v3f01Q6MpH58vo521.cgZg9OG5ASav.EIf9fmqH2yETyPkmm7dExFNlRL.dYv6xA4iPtlwMepInUaeFinDbYtoMstD_9Vyexx2B2K.r4eJb9zMCQc0XA3yYDHViOC7cYBYHi58FbvycjBe4o236lyz2eoyC48IS.K1zSsVdqBqIoXIT4tEFYdibXdWudtp57lmyjwpryZy..fGFAcFjAGn3iho98_4
sec-ch-ua-arch: "x86"
sec-ch-ua-bitness: "64"
sec-ch-ua-full-version: "141.0.7390.55"
sec-ch-ua-platform-version: "19.0.0"
sec-ch-ua-model: ""
sec-ch-ua-full-version-list: "Google Chrome";v="141.0.7390.55", "Not?A_Brand";v="8.0.0.0", "Chromium";v="141.0.7390.55"
Origin: https://example.com
Upgrade-Insecure-Requests: 1

There is also a great opportunity to test captcha recognition using the CapMonster Cloud browser extension, which allows you to quickly check captcha operation directly on the page and monitor the solving process in real time without writing code – available for installation in Chrome and Firefox.

How to connect Cloudflare Waiting Room to your site

To confidently navigate how captcha works on your site, understand its verification logic, reconnect, or reconfigure it, we recommend studying this section. It describes the protection connection process — this will help you quickly understand all the nuances.

Requirements and preparation

Cloudflare Plan: Waiting Room is available for Business and Enterprise.
CDN and Proxying: Your site must be connected to Cloudflare, and the DNS record for the domain or subdomain must be proxied.
Cookies: Visitors must support cookies, as Cloudflare uses them to track queue position.
Decide which pages/users will be in the queue and which will bypass the Waiting Room (e.g., administrators, VIPs, specific paths).

1. Register with Cloudflare and connect your site.

2. In the Traffic → Waiting Room section, create a new queue:

3. Click Create Waiting Room.

Specify:

Hostname / URL where the Waiting Room will be active.
Waiting Room name (for internal records).
Maximum number of simultaneously active users (optional, if limited load is required).

4. Customize the waiting page design:

You can use the Cloudflare template or custom HTML/CSS.
Add a logo, waiting time information, and instructions for users.

5. Save and activate the Waiting Room.

6. Configuring Rules

Cloudflare allows excluding specific traffic from the queue.

Typical Bypass Rules:

Admin IP addresses: always allow.
Paths/URL: exclude static files (.js, .css, .png) or specific pages.
Geo-targeting: exclude specific countries.
Query string: exclude specific GET parameters.

Example of a path bypass rule in the Dashboard

In Waiting Room → Manage Rules → Create new bypass rule.
Configure:
- Rule Name: Bypass JS Files
- Expression: ends_with(http.request.uri.path, ".js")
- Action: Bypass Waiting Room
Save and deploy.

All bypass rules allow traffic to be excluded from the active user count so that it does not affect the queue.

Advanced Features:

Scheduled Event: enabling Waiting Room only at specific times (e.g., for sales).
Analytics: tracking the number of users in the queue, wait times, and throughput.
Additional hostnames/paths: a single Waiting Room can operate on multiple subdomains or paths.

Management via API:

The Cloudflare Waiting Room API allows you to:

Create, modify, and delete bypass rules.
View the list of rules.
Manage all Waiting Room settings programmatically.

Example of creating a bypass rule via API

POST zones/{zone_id}/waiting_rooms/{room_id}/rules
Content-Type: application/json
Authorization: Bearer <API_TOKEN>

{
  "description": "Bypass admins",
  "expression": "ip.src in { '1.2.3.4', '5.6.7.8' }",
  "action": "bypass_waiting_room",
  "enabled": true
}

Verifying Operation

1) Open the site from different browsers/devices.

2) Check:

Does the Waiting Room appear when the limit is exceeded?
Is the queue position preserved when refreshing the page?
Do bypass rules work (e.g., admin IP passes without waiting)?

Possible errors and debugging

Invalid domain or incorrect queue configuration

The waiting room page does not appear. Check that the queue rule is linked to the correct URI, path, or host.

Page loading timeout or queue token timeout

The client did not wait for the server response. Increase timeouts in tests and monitoring to handle delays correctly.

Re-verification or expired queue token

If the user uses an expired token or invalid cookies, the system will show the waiting page again.

Conflict with other access checks

Simultaneous use of Waiting Room and other authorization/bot-protection rules may lead to cyclic checks. Follow recommendations for the sequence of checks and user bypassing logic.

Protection resilience checks

After integration, make sure the system really protects the site from automated actions.

Try requesting the page without special cookies — the user should be placed in the waiting room.

Test re-entry with already set cookies — the user should bypass the queue and reach the main content.

Conduct load testing (e.g., with k6 or JMeter) at a high request rate — the waiting room page should display correctly, and the queue server should remain stable.

Check server reaction to expired or incorrect cookies/tokens. Expected result — the user is returned to the waiting page.

Security and optimization tips

Configure queue rules and token TTL according to the load level and risks

Store all secrets (e.g., token signing keys) only on the server

Log queue events and passage status to understand why users are placed in the waiting room and identify false positives.

Log queue events and passage status to understand why users are placed in the waiting room and identify false positives.

For transparency, add links to the <b>Privacy Policy</b> and <b>Terms of Use on waiting room pages</b>.

For transparency, add links to the Privacy Policy and Terms of Use on waiting room pages.

Conclusion

If you’ve taken over a website that already has a captcha or another protection system installed, but you don’t have access to the code, don’t worry! It’s quite easy to identify which technology is being used. To verify that everything works correctly, you can use the CapMonster Cloud recognition service in an isolated test environment to make sure that the token processing mechanism and the validation logic are functioning properly.

In the case of Cloudflare Waiting Room, it’s enough to detect the system, observe its behavior, and confirm that the protection is working correctly. In this article, we showed how to identify Cloudflare Waiting Room and where to find instructions on how to integrate or reconfigure it, so you can confidently maintain the protection and keep its operation under control.

Helpful links

Cloudflare Waiting Room Documentation →

CapMonster Cloud Documentation (working with Cloudflare Waiting Room) →

What is Cloudflare CAPTCHA and how to solve it with CapMonster Cloud →

How Cloudflare detects automated traffic: protecting the site from bots →

The CapMonster Cloud browser extension is available for Chrome and Firefox. Full installation and usage instructions are available here.

Cloudflare Waiting Room and CapMonster Cloud

How to solve Waiting Room via CapMonster Cloud

Cloudflare Waiting Room
and CapMonster Cloud