[prdonahue]

Individual customers can set their security settings however they like. If you're seeing a CAPTCHA each and every time you connect to a site served by us (and are not coming from an IP with recent/excessive abuse) the site may have locked down their security settings to require this step.

[MichaelGG]

I understand. But IIRC the defaults aren't so open. Plus I would expect that a site like the one for a presidential candidate would get at least a minor review and a "hey you don't need any 'security' settings here".

Jet.com had a similar issue. I'm pretty sure CF customers are not getting sufficient info/onboarding.

[prdonahue]

The default setting does not present a CAPTCHA each time. Or even most of the time.

Have you considered that presidential candidates may be subject to more malicious traffic than a typical site (and thus may considering adjusting their settings)?

> I'm pretty sure CF customers are not getting sufficient info/onboarding.

I can ensure you that Enterprise customers are assigned highly technical resources during onboarding that walk them through settings. Is there a specific suggestionyou'd like me to pass along?

[MichaelGG]

Not insulting talented team CF has. The end result though is that viewing a static asset, a policy position, shouldn't be challenging residential users with a captcha. Whatever the cause, this behaviour is wrong. It's particularly noticeable as a ton of other static assets are served. So it's just switching the doc content for a captcha, while still returning all the images and styling.

Jet.com gad the same issue - captcha every time I erased cookies, despite having my own residential IP. Till I brought it to their attention. (Maybe coincidence.)

This mirrors my own experience as a low end user. Devs in Easter Europe would get challenged a lot until we went and whitelisted everyone.

[mirashii]

As a former Cloudflare customer, I'm pretty sure they're getting plenty of onboarding if they take the time to really request it. I had one of the more pleasant vendor experiences with them, they happily invited us to their office, sat down and walked through the admin panel and all of the settings we could tune, describing them and providing recommended values or asking questions to figure out what the settings should be.

It's a matter of customers not bothering. You can only hold a customer's hand so closely.

[MichaelGG]

Sure. But customers are not likely to realise the impact on users not in the US or otherwise "dangerous". I get captcha'd every time I clear cookies, to access static content. This is just wrong behaviour.

I highly doubt that CF customers understand. I cannot imagine them saying "yeah, I think requiring people to solve a puzzle before they read a text document seems reasonable".