Skip to content

Bot challenge

An interstitial page (CAPTCHA, JavaScript proof-of-work, or hard block) served by a bot-protection vendor when a request looks automated. Returns a few KB of vendor HTML instead of the real site content.

A bot challenge is a defensive interstitial that bot-protection vendors (Cloudflare, DataDome, Akamai, Imperva, PerimeterX/HUMAN, Sucuri, Reblaze) serve in place of the real page when a request is suspected of being automated. The server-rendered response body becomes a few KB of vendor-branded HTML rather than the page the URL points to.

Typical challenge categories:

  • Interactive CAPTCHA -- "click all the traffic lights" or a checkbox. User-friendly but blocks all automated traffic.
  • JavaScript proof-of-work / fingerprinting -- the page runs a JS computation, browser-fingerprints the client, then redirects to the real content if the score is OK. Cloudflare's "Just a moment..." flow is the canonical example.
  • Hard block (HTTP 403 / 429 / 503) -- the request is denied with a small error page. No retry path. Usually fired against IPs / user-agents on a deny list.

Vendor signatures the BeaverCheck bot-challenge analyzer recognizes:

  • Cloudflare -- <title>Just a moment...</title> + challenges.cloudflare.com/cdn-cgi/challenge-platform script. Legacy variant: <title>Attention Required! | Cloudflare</title>.
  • DataDome -- geo.captcha-delivery.com or js.datadome.co URLs in the body.
  • PerimeterX / HUMAN -- px-captcha, client.perimeterx.net, pxhd-captcha substrings.
  • Akamai Bot Manager -- <title>Access Denied</title> + Reference&#32;# (HTML-encoded space).
  • Imperva / Incapsula -- Incapsula incident ID: text or _Incapsula_Resource reference.
  • Sucuri WAF -- sucuri.net/securitypage URL or Sucuri Website Firewall title.

When a challenge is detected, every other section of the BeaverCheck report (security headers, accessibility, content, SEO, performance) was computed against the interstitial HTML rather than the actual page -- those findings are NOT meaningful for that URL. The report surfaces a Critical finding at the top of the Security tab so the user can see the corruption immediately.

Resolution paths for site owners:

  1. Allow-list the scanner -- add BeaverCheck's worker IPs to the bot-protection vendor's allow-list.
  2. Configure a relaxed challenge -- some vendors let you exempt known-good user-agents.
  3. Accept that the public site is unscannable -- bot protection is doing its job; third-party tooling won't see the real page until the protection is bypassed.

Note: the analyzer can detect that a challenge fired but cannot bypass it. Bypassing bot detection would require user-agent spoofing, residential proxies, or solving the challenge -- all of which would defeat the purpose of the protection.

Related terms

Cloudflare challenge platformCDN

Further reading

Send Feedback