Cloudflare Docs
WAF
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Security Level

Cloudflare’s Security Level uses the threat score (IP reputation) to decide whether to present a challenge to the visitor. Once the visitor enters the correct challenge, they receive the appropriate website resources.

​​ Threat score

The threat score measures IP reputation across Cloudflare services. This score is calculated based on Project Honeypot, external public IP information, as well as internal threat intelligence from our WAF managed rules and DDoS.

The threat score of a request has a value from 0 to 100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet.

​​ Security levels

Security levels are based on the threat score (except Off and I’m Under Attack!). You can adjust the security level to challenge incoming requests based on the threat they pose.

The available security levels are the following:

Security LevelThreat score rangeDescription
Off (Enterprise
customers only)
N/ADoes not challenge IP addresses.
Essentially off50–100Only challenges IP addresses with the worst reputation.
Low25–100Challenges only threatening visitors.
Medium15–100Challenges both threatening and moderately threatening visitors.
High0–100Challenges all visitors that exhibited threatening behavior within the last 14 days.
I’m Under Attack!N/AOnly for use if your website is currently under a DDoS attack.

Selecting a higher Security Level value means that even requests with a lower risk (that is, with a low threat score) will be challenged. Selecting a lower Security Level value means that only requests posing a higher risk (that is, with a high threat score) will be challenged.

Security levels from Essentially off to High will challenge the visitor using a Managed Challenge. When you select I’m Under Attack!, which enables I’m Under Attack mode, Cloudflare will present a JS challenge page.


​​ Customize security level

The default security level is Medium.

​​ Update globally

To update the security level for your entire zone:

  1. Log into the Cloudflare dashboard.
  2. Select your account and zone.
  3. Go to Security > Settings.
  4. For Security Level, select an option.

​​ Update selectively

To set the security level more selectively, do one of the following:

  • Configure it via a configuration rule.
  • Use the Threat Score as a Field criteria within custom rules. If you are using the Expression Editor, use the cf.threat_score field.

​​ Recommendations

To prevent bot IPs from attacking a website:

  • A new website owner might set a Medium or High Security Level and lower Challenge Passage to a value below 30 minutes to ensure that Cloudflare is constantly protecting the site.
  • An experienced website administrator confident in their security settings might set Security Level to Essentially Off or Low while setting a higher Challenge Passage for a week, month, or even year to provide a less obtrusive visitor experience.

You can also create WAF custom rules to protect sensitive areas of your website — like comment form pages or login forms — using the threat score in your rule expression. The flexibility of custom rules allows you to select the action to take (for example, challenge or block) and exclude specific IP addresses.