Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added public/images/precursor/precursor-rules.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
title: Precursor introduces session-based detection
description: Precursor brings continuous, session-based behavioral detection to Cloudflare Challenges.
date: 2026-07-06
---

Precursor is rolling out to all customers starting today. Precursor is client-side JavaScript that enables session-based bot detection.

You can [read the announcement blog](https://blog.cloudflare.com/placeholder-precursor-announcement/) for background on why we built Precursor and how session-level behavioral detection works.

With Precursor enabled, Cloudflare can:

- Continuously evaluate behavioral signals across a session
- Re-validate challenge clearance as behavior changes
- Update bot scores with session context
- Provide client-side visibility where none previously existed

It integrates with existing protections, including Security Rules, and can be enabled directly from the Cloudflare dashboard with configurable modes to balance security and user experience.

<img
src="/images/precursor/precursor-settings.png"
alt="Enable Precursor in the Cloudflare dashboard"
style="border:1px solid #e5e7eb;border-radius:6px;display:block;margin:16px 0;"
/>

To learn more, refer to the [Precursor documentation](/cloudflare-challenges/precursor/).
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: Full-page challenge screens that verify visitors before they reach
products:
- cloudflare-challenges
sidebar:
order: 1
order: 2
---

import { Render } from "~/components";
Expand Down Expand Up @@ -56,4 +56,4 @@ To ensure your API calls are protected without breaking single-page applications

By enabling Pre-clearance, the Turnstile widget issues a persistent clearance cookie (`cf_clearance`) upon successful human verification on an initial HTML page. This cookie pre-clears the visitor to interact with sensitive API endpoints secured by WAF rules, allowing you to deploy granular security without forcing a disruptive Challenge Page response.

For implementation details, refer to the [guidance on Pre-clearance for Turnstile](/cloudflare-challenges/concepts/clearance/#pre-clearance-support-in-turnstile).
For implementation details, refer to the [guidance on Pre-clearance for Turnstile](/cloudflare-challenges/concepts/clearance/#pre-clearance-support-in-turnstile).
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ tags:
- JavaScript
- CSP
sidebar:
order: 3
order: 4
---

import { Render, Tabs, TabItem, GlossaryTooltip } from "~/components";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: Embed a CAPTCHA-alternative widget that verifies visitors without i
products:
- cloudflare-challenges
sidebar:
order: 2
order: 3
---

import { Render } from "~/components";
Expand Down
59 changes: 41 additions & 18 deletions src/content/docs/cloudflare-challenges/concepts/clearance.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -14,25 +14,49 @@ import { Render, DashButton, Steps } from "~/components";

## `cf_clearance` cookies

A `cf_clearance` cookie proves to Cloudflare that the visitor is a verified human and has passed the challenge presented to them.
A `cf_clearance` cookie proves to Cloudflare that the visitor is a verified human and has passed Cloudflare's client-side verifications.

The `cf_clearance` cookie is securely tied to the specific visitor and device it was issued to. This binding is a security feature designed to prevent the cookie from being easily transferred and re-used on other machines.
The cookie contains **two types of clearance** that work together:

As an additional layer of security, Cloudflare recommends that customers [add a rate limiting rule](/waf/rate-limiting-rules/) based on the `cf_clearance` cookie value. This ensures that a single, valid cookie cannot be abused by a single machine to send an excessive volume of requests.
- **Challenge clearance**: Granted when a visitor solves a Challenge (for example, Interstitial Challenge Pages or Turnstile with pre-clearance enabled).
- **Precursor clearance**: Continuously updated based on session behavior.

Each challenge type sets a clearance level. A higher-level cookie bypasses all challenge types at or below that level. A lower-level cookie only bypasses challenges at the same level.

The cookie is securely tied to the specific visitor and device it was issued to, preventing reuse across machines.

As an additional layer of security, Cloudflare recommends that customers [add a rate limiting rule](/waf/rate-limiting-rules/) based on the `cf_clearance` cookie value. This helps ensure that a single, valid cookie cannot be abused by one machine to send an excessive volume of requests.

### Challenge clearance

Challenge clearance is granted when a visitor successfully completes a Challenge.

Each challenge type sets a clearance level. A higher-level clearance bypasses all Challenges at or below that level. A lower-level clearance only bypasses challenges at the same level.

| Clearance level | Bypasses |
| --------------------- | ---------------------------------------------------- |
| Interactive (high) | Interactive, Managed, and Non-Interactive Challenges |
| Managed (medium) | Managed and Non-Interactive Challenges |
| Non-Interactive (low) | Non-Interactive Challenges only |

If a visitor passes an Interactive Challenge (highest security level), then the `cf_clearance` cookie indicates this to the origin and allows the visitor to bypass any other Challenge on the website, whether it is a Non-Interactive Challenge, a Managed Challenge, or another Interactive Challenge for as long as the cookie is valid.
If a visitor passes an Interactive Challenge (highest security level), they can bypass all other Challenges for as long as the clearance remains valid.

If a visitor receives clearance at a lower level (Managed or Non-Interactive) and later encounters a higher-level challenge, they must solve the higher-level challenge again.

The original clearance is replaced if a higher-level challenge is later solved.

Challenge clearance remains valid for the duration configured by the customer (Challenge Passage), **unless Precursor determines the session is suspicious**.

If a visitor receives a `cf_clearance` cookie on a page that uses a WAF rule with Managed or Non-Interactive Challenge (lower security levels), then encountering a different page with a higher security clearance level Challenge will prompt them to solve the challenge again.
### Precursor clearance

Precursor clearance is continuously re-evaluated throughout a visitor’s session. Rather than being tied to a single challenge event, it operates as an ongoing, client-side process that periodically reassesses behavior at regular intervals. As new signals are observed, the clearance is updated dynamically to reflect the current level of trust in the session.

If Precursor determines that a session is suspicious:

- The visitor’s effective Challenge clearance may be **reduced or invalidated**.
- The visitor may be **re-challenged**, even if the cookie has not expired.

This creates a model where clearance is both **time-bound (Interstitial)** and **behavior-bound (Precursor)**.

The original `cf_clearance` cookie that was issued to the visitor from a lower security clearance level challenge will be replaced with the new `cf_clearance` cookie from a higher security clearance level challenge.

## Pre-clearance support in Turnstile

Expand Down Expand Up @@ -93,27 +117,26 @@ The prerequisite is crucial for pre-clearance to function properly. If set up co
For more details on managing hostnames, refer to the [Hostname Management documentation](/turnstile/additional-configuration/hostname-management/).

<Render file="cf-clearance-cookie" product="cloudflare-challenges" />

#### Enable pre-clearance on a new site

<Steps>
1. In the Cloudflare dashboard, go to the **Turnstile** page.
1. In the Cloudflare dashboard, go to **Turnstile**.

<DashButton url="/?to=/:account/turnstile" />
2. Select **Add widget**.
3. Under **Would you like to opt for pre-clearance for this site?** select **Yes**.
4. Choose the pre-clearance level from the select box.
2. Select **Add widget**.
3. Under **Would you like to opt for pre-clearance for this site?**, select **Yes**.
4. Choose a **pre-clearance level**.
5. Select **Create**.
</Steps>

#### Enable pre-clearance on an existing site

<Steps>
1. In the Cloudflare dashboard, go to the **Turnstile** page.
1. In the Cloudflare dashboard, go to **Turnstile**.

<DashButton url="/?to=/:account/turnstile" />
2. Go to the existing widget or site and select **Settings**.
3. Under **Would you like to opt for pre-clearance for this site?** select **Yes**.
4. Choose the pre-clearance level from the select box.
2. Select an existing widget and open **Settings**.
3. Under **Would you like to opt for pre-clearance for this site?**, select **Yes**.
4. Choose a **pre-clearance level**.
5. Select **Update**.
</Steps>
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ Challenge Pages and Turnstile rely on the same underlying mechanism to issue cha

JavaScript Detections is an optional feature within [Bot Management](/bots/get-started/bot-management/). When enabled, Cloudflare injects a JavaScript snippet into HTML responses to gather client-side signals. Unlike Challenge Pages, JavaScript Detections runs on every HTML request without pausing or interrupting the visitor. It populates a pass/fail result (`cf.bot_management.js_detection.passed`) that you can then act on using a [WAF custom rule](/waf/custom-rules/).

For session-level detection that informs when challenges should be applied, refer to [Precursor](/cloudflare-challenges/precursor/).

---

## Available challenges
Expand All @@ -33,6 +35,7 @@ Refer to the following pages for more information on the different challenge typ
- [Interstitial Challenge Pages](/cloudflare-challenges/challenge-types/challenge-pages/)
- [Turnstile](/cloudflare-challenges/challenge-types/turnstile/)
- [JavaScript Detections](/cloudflare-challenges/challenge-types/javascript-detections/)
- [Precursor](/cloudflare-challenges/precursor/)

---

Expand Down
100 changes: 100 additions & 0 deletions src/content/docs/cloudflare-challenges/precursor.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
---
pcx_content_type: concept
title: Precursor
description: Client-side, session-based verification that continuously evaluates visitor behavior to identify automation.
products:
- cloudflare-challenges
sidebar:
order: 4
---

Precursor is a client-side, session-based verification system that continuously evaluates a visitor's behavior over time. Instead of relying on a single challenge event, Precursor runs ongoing verification in the browser to detect automation that appears legitimate in individual requests but exhibits non-human patterns across a session.

## How it works

Precursor operates as a continuous client-side verification loop:

- A client-side script is injected into the page
- The script continuously collects signals and performs verification
- Each execution produces signals that are evaluated by Cloudflare
- Results are used to update session state stored in the `cf_clearance` cookie
- The process repeats throughout the session

This enables Cloudflare to continuously evaluate session behavior over time.

## Get started

Enable Precursor for your zone:

1. In the Cloudflare dashboard, select your zone.
2. Go to **Security** > **Settings**.
3. Locate **Precursor**.
4. Turn on Precursor.

<img
src="/images/precursor/precursor-settings.png"
alt="Security Settings page in the Cloudflare dashboard, showing the Precursor card with the on/off toggle"
style="border:1px solid #e5e7eb;border-radius:6px;display:block;margin:2px 0;"
/>

5. **Choose a mode:** To fully verify a user session, visitors may need to complete a lightweight Challenge to establish a valid session. Precursor provides two modes depending on whether you want to prioritize user experience or strict verification:

- **Minimize Friction (default)**
Does not show a Challenge to the visitor. Instead, Precursor attempts to establish session state in the background.
This provides a smoother user experience, but cannot guarantee that every session is fully verified.

- **Maximize Security (recommended)**
Shows a lightweight Challenge to establish a valid session if one does not already exist.
This ensures every session is fully verified, but may introduce additional friction for users.

<img
src="/images/precursor/precursor-rules.png"
alt="Precursor mode selector showing Minimize Friction and Maximize Security options"
style="border:1px solid #e5e7eb;border-radius:6px;display:block;margin-top:-32px;"
/>

For most customers, selecting a mode is the only configuration required.

### Precursor rules (optional)

Precursor runs across your zone by default. Rules do not enable or disable Precursor — they determine which mode applies to each request.

For example:

- Run **Minimize Friction** across your site, but run **Maximize Security** to enforce a valid session on `/checkout`.
- Run **Maximize Security** on all pages, except your homepage.

## Relationship to JavaScript Detections

Precursor supersedes JavaScript Detections (JSD):

- moves from one-time execution to continuous verification
- introduces session-based state
- enables dynamic runtime control

## Relationship to Challenges

Precursor and Challenges serve different roles:

- Challenges provide point-in-time verification
- Precursor provides continuous, session-level verification

Precursor does not replace Challenges. Instead, it strengthens them by:

- determining when additional Challenges should be required
- re-evaluating visitors after they have already passed a Challenge
- identifying automation that emerges over time

## Relationship to `cf_clearance`

Precursor is tightly integrated with `cf_clearance`. When running Precursor:

- effective clearance may be reduced or invalidated
- additional Challenges may be triggered
- the visitor may be re-verified during the same session

## Visibility in Security Analytics

Once Precursor runs on a zone, its detections appear in the zone's Analytics view. To open it, select your zone in the Cloudflare dashboard, then go to **Security** > **Analytics** > **Traffic** > **Bot analysis**. The bot score distribution and WAF rule-match counts now include Precursor's behavioral and biometric detections.

For more information, refer to [Security Analytics](/waf/analytics/security-analytics/).
4 changes: 2 additions & 2 deletions src/content/docs/cloudflare-challenges/reference/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: Reference information for Cloudflare Challenges, including browsers
products:
- cloudflare-challenges
sidebar:
order: 3
order: 5
group:
hideIndex: true
---
Expand All @@ -14,4 +14,4 @@ import { DirectoryListing } from "~/components"

Refer to the following pages for more information about Cloudflare Challenges:

<DirectoryListing />
<DirectoryListing />
3 changes: 3 additions & 0 deletions src/content/products/challenges.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
name: Challenges
slug: challenges
description: Cloudflare Challenges and bot detection
Loading