How to Enable Under Attack Mode

How to Enable Under Attack Mode

Overview

Under Attack Mode allows you to apply additional security protection to individual domains in your workspace. When enabled, Cloudflare performs extra security checks on incoming traffic to help mitigate layer 7 attacks such as automated fraud, bots, and denial-of-service (DDoS) attempts.

This feature is intended for temporary use during active or suspected attacks and can be enabled or disabled at any time from Workspace Settings.

When to use Under Attack Mode

Enable Under Attack Mode if:

• You experience sudden or abnormal traffic spikes
• Automated or scripted traffic is impacting site performance
• Fraud attempts increase unexpectedly
• Your domain becomes slow or unresponsive due to traffic volume

Under Attack Mode is designed as a last-resort mitigation tool, not a permanent security setting.

How Under Attack Mode works

When Under Attack Mode is enabled for a domain:

• Cloudflare applies an elevated security level
• Incoming visitors receive a temporary verification challenge
• Legitimate users are automatically validated and allowed access
• Suspicious or automated traffic is blocked before reaching your site

Accessing Under Attack Mode

1. Open Workspace Settings
2. Select Under Attack Mode
3. View the list of domains associated with the workspace

Each domain can be enabled or disabled independently.

Enabling Under Attack Mode

1. Go to Workspace Settings → Under Attack Mode
   

2. Locate the domain you want to protect

3. Toggle Under Attack Mode ON
   

Expected behavior

• Changes may take several seconds to propagate
• New visitors may see a Cloudflare verification screen
• Existing verified visitors may not see the challenge again

Disabling Under Attack Mode

1. Go to Workspace Settings → Under Attack Mode
2. Toggle Under Attack Mode OFF for the domain
   

Expected behavior

• The challenge may continue briefly after disabling
• Normal access resumes once the change fully propagates

Visitor experience

When Under Attack Mode is active, visitors may see a message similar to:

Checking your browser before accessing…

Key points:

• The challenge typically completes within a few seconds
• No user action is required beyond waiting
• Once verified, visitors are automatically redirected to the site

This approach minimizes disruption for real users while filtering out automated traffic.

Impact on analytics and tracking

Because Under Attack Mode requires JavaScript to complete the verification challenge:

• Some third-party analytics tools may report reduced or delayed traffic
• Bots and blocked traffic will not appear in analytics
• Short-term discrepancies in visitor data are expected while the mode is active

These effects are temporary and resolve once Under Attack Mode is disabled.

Performance and availability considerations

• Under Attack Mode may briefly pause access for unverified visitors
• It prioritizes site stability over immediate access
• It should be disabled once traffic normalizes to restore standard behavior

This feature helps keep your site online during attacks but is not intended for continuous use.

Important notes and limitations

• Under Attack Mode is applied per domain
• It does not activate instantly in all cases
• It relies on visitors having JavaScript enabled
• It does not replace long-term security or fraud prevention strategies
• Some automated services, scripts, or headless browsers may be blocked

Summary

Under Attack Mode provides a fast, self-service way to protect your domains during periods of malicious or abnormal traffic. By temporarily increasing security checks, it helps preserve site availability while allowing legitimate users to continue accessing your site with minimal disruption.