Cf-Mitigated

The HTTP Cf-Mitigated response header is an unofficial, Cloudflare-specific header indicating Cloudflare applied a mitigation action to the request instead of serving the origin response.

Table of Contents

Usage
Values
- challenge
Example
Takeaway
See also

Usage

When a request triggers a Cloudflare security rule, Cloudflare intercepts the request and serves a challenge page. The Cf-Mitigated header appears on these challenge responses, signaling the original content was replaced by a mitigation page.

This header is useful for front-end applications making fetch or XHR requests. When a challenged response arrives, the application detects the header and reacts accordingly. A common pattern is to show a Turnstile overlay, wait for the visitor to complete the challenge, obtain a cf_clearance cookie, and retry the original request. The response content type of a challenged request is always text/html, regardless of the resource type originally requested.

Values

challenge

The challenge value is the only value this header carries. Cloudflare sets the header to challenge whenever a managed challenge, interactive challenge, or JS challenge page is served in place of the origin response. The challenge type depends on signals from the visitor's browser environment. Cloudflare selects the appropriate challenge automatically, ranging from a non-interactive JavaScript check to an interactive checkbox or button prompt.

Example

A response with challenge means Cloudflare intercepted the request and served a challenge page instead of the origin content. The visitor needs to pass the challenge before accessing the resource.

Cf-Mitigated: challenge

When inspecting response headers during development, the presence of this header alongside a Cf-Ray header confirms the response came from Cloudflare's security layer rather than the origin server.

Cf-Mitigated: challenge
Cf-Ray: 8f2b3c4d5e6f7-SJC

Takeaway

The Cf-Mitigated response header signals Cloudflare replaced the origin response with a challenge page. Checking for this header allows applications to detect and handle Cloudflare challenges programmatically.