Cf-Mitigated
When Cloudflare intercepts a request and serves a challenge page instead of the origin response, the Cf-Mitigated response header signals this mitigation. This unofficial, Cloudflare-specific header indicates a security rule was triggered.
Usage
When a request triggers a Cloudflare security rule, Cloudflare intercepts the request and serves a challenge page. The Cf-Mitigated header appears on these challenge responses, signaling the original content was replaced by a mitigation page.
This header is useful for front-end applications making
fetch or XHR requests. When a challenged response arrives, the
application detects the header and reacts accordingly. A common
pattern is to show a Turnstile overlay, wait for the visitor to
complete the challenge, obtain a cf_clearance cookie, and
retry the original request. The response content type of a
challenged request is always text/html, regardless of the
resource type originally requested.
Values
challenge
The challenge value is the only value this header carries.
Cloudflare sets the header to challenge whenever a managed
challenge, interactive challenge, or JS challenge page is served
in place of the origin response. The challenge type depends on
signals from the visitor's browser environment. Cloudflare
selects the appropriate challenge automatically, ranging from a
non-interactive JavaScript check to an interactive checkbox or
button prompt.
Example
A response with challenge means Cloudflare intercepted the
request and served a challenge page instead of the origin
content. The visitor needs to pass the challenge before
accessing the resource.
Cf-Mitigated: challenge
When inspecting response headers during development, the presence of this header alongside a Cf-Ray header confirms the response came from Cloudflare's security layer rather than the origin server.
Cf-Mitigated: challenge
Cf-Ray: 8f2b3c4d5e6f7-SJC