Demo Hub
WAF Security Demo

WAF Actions Explorer

Explore all Cloudflare WAF actions in real-time. See how JS Challenge, Managed Challenge, Block, Log, and Skip behave when triggered by custom rules.

Challenge Actions

Interactive verification methods that test if the visitor is human

JS Challenge
JavaScript-based verification
JS Challenge Screenshot
JavaScript verification runs in background
Expected Status Code: 403
Click to try this action
Managed Challenge
Adaptive verification (Turnstile)
Managed Challenge Screenshot
Turnstile widget may appear based on risk
Expected Status Code: 403
Click to try this action
Interactive Challenge
Legacy CAPTCHA (deprecated)
Interactive Challenge Screenshot
Legacy CAPTCHA requires user interaction
Expected Status Code: 403
Click to try this action

Other Actions

Non-challenge actions for blocking, logging, or bypassing security rules

Block
Deny request entirely
Block Action Screenshot
Request blocked with 403 Forbidden
Expected Status Code: 403
Click to try this action
Log
Record but allow through
Request logged but allowed through
Expected Status Code: 200
Click to try this action
Skip
Bypass WAF rules
WAF rules bypassed, request allowed
Expected Status Code: 200
Click to try this action

Custom Block Responses

Cloudflare WAF can return custom responses in various formats when blocking requests

JSON Response
Custom JSON payload
Loading...
Expected Status Code: 403
Click to try this action
XML Response
Custom XML payload
Loading...
Expected Status Code: 403
Click to try this action
Text Response
Plain text payload
Loading...
Expected Status Code: 403
Click to try this action
HTML Response
Custom HTML page
Loading...
Expected Status Code: 403
Click to try this action
Custom Status 456
Non-standard HTTP status
Loading...
Expected Status Code: 456
Click to try this action

JS Challenge

Requires the browser to execute JavaScript. Non-interactive, runs in background. Effective against simple bots.

Managed Challenge

Adaptive verification powered by Turnstile. May be non-interactive or show CAPTCHA based on risk signals.

Interactive Challenge

Legacy CAPTCHA challenge. Always requires user interaction. Managed Challenge is recommended instead.

Block

Blocks the request with a 403 Forbidden response by default. Custom responses can be used to customise the status code. Use for known malicious traffic.

Log

Records the request in Security Events but allows it through. Useful for monitoring before enforcing.