March 19, 2026

Challenge accepted… and everything else skipped

Article URL →HN comments →

Why Cloudflare rule order matters?

Admins say “challenge” lets intruders slip past block — is the dashboard gaslighting everyone

TLDR: Putting a “challenge” before a “block” can let visitors reach protected pages after they pass the test, because rule-checking stops. Commenters split between shock at the gotcha and pushback that it’s “working as designed,” while many slam the UI for not making rule order crystal clear.

Cloudflare drama alert: a blog claims that putting a “challenge” rule (the little human-check puzzle) before a “block” rule can let people waltz into sensitive pages like /metrics. Why? Because once you pass the challenge, Cloudflare gives you a pass (the cf_clearance cookie), then stops checking later rules. Cue community fireworks.

One pro managing “multiple Enterprise accounts” admits they had no idea: “Wait, challenges skip everything else?” Meanwhile, skeptics clap back. User weird-eye-issue says the author’s “dashboard is lying” accusation is off, insisting the next rule is evaluated the way Cloudflare says—just not after a successful challenge that ends processing. The mood? Half “OMG, I’ve been living dangerously,” half “This is intended, calm down.” Another voice blames Cloudflare’s design: if rule order is life-or-death, say it clearly in the UI. As yellow_lead put it, the vibe feels like “the user will figure it out.”

Between jokes about a “golden ticket” cookie and memes calling it a “boss fight you can skip,” the consensus lands on simple advice: put Block rules first, save Challenges for last. If you’re curious, the docs are here: Cloudflare Actions and an old thread that saw this coming: ServerFault.

Key Points

  • Cloudflare’s challenge actions (Interactive, JS, Managed) are terminating actions that stop evaluation of subsequent rules.
  • A Block rule placed after a challenge action may not execute for clients that pass the challenge and receive the cf_clearance cookie.
  • Terminating actions in Cloudflare include: Interactive Challenge, JS Challenge, Managed Challenge, Block, Redirect, Serve Error, and Log custom field.
  • Recommended secure ordering: Skip, Block, Log, Redirect, Serve Error, Execute, Rewrite, Route, Set Configuration, Compress Response, Set Cache Settings, Log custom field, then challenges.
  • The author could not confirm large-scale exploitability but notes the behavior aligns with Cloudflare documentation and has been discussed previously on Server Fault.

Hottest takes

"I never really knew setting Action to \"Managed challenge\" would be equivalent to skipping all the remaining rules" — flarite
"Actually what you are saying is not true because the rule is evaluated after your previous rule" — weird-eye-issue
"It's not expressed anywhere in the UI, so at some point someone really just said \"well the user will figure it out.\"" — yellow_lead

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.