Create a challenge rule
2 min read
After reviewing the data from your Log rule, update your rule to more aggressively challenge automated traffic.
Expression | Action |
---|---|
(cf.bot_management.score eq 1) and not (cf.bot_management.verified_bot) | Managed Challenge |
Though you can explicitly block automated traffic, Cloudflare recommends using our Managed Challenge action instead. Managed Challenges not only reduce CAPTCHAs, but also provide you with the data to evaluate your rule’s effectiveness.
Challenge Solve Rate (CSR)
The Challenge Solve Rate (CSR) is the percentage of issued challenges — Interactive Challenge, JS Challenge, or Managed Challenge actions — that were solved.
CSR = number of challenges solved / number of challenges issued
This metric helps you evaluate your rule’s effectiveness, as well as whether you need to make any adjustments to the rule’s criteria or action. Rules in Challenge mode will start generating Challenge Solve Rate data (CSR) which indicates the false positive percentage.
When measuring automated traffic, the percentage of the CSR shows how effective your rule is:
- If you see a high CSR (above 3%), you might want to reevaluate the criteria of your rule to prevent human visitors from receiving challenges. You should lower your threshold in small increments of 3 to 5 points at a time until it drops.
- If you see a low CSR (below 3%), you likely do not need to adjust your rule but may still want to review its CSR periodically.
- If the rate is close to 0%, your rule is only acting on automated traffic. Consider changing the rule action to Block.
This CSR data - along with the other information visible in Security Events and Cloudflare Logs - can help you evaluate and expand the scores and endpoints covered by your challenge rule.