Cloudflare

Cloudflare

CDN and network security infrastructure provider used to accelerate and protect websites. Scripts include the Cloudflare Turnstile CAPTCHA widget, Web Analytics (cookieless analytics), and Bot Management signals. Core CDN functionality operates at the network level, but challenge and analytics scripts do execute in the browser.

Back to Vendor Library

Overview

Cloudflare is a global CDN, network security, and performance infrastructure provider used by millions of websites. From a browser perspective, Cloudflare manifests in several distinct ways: as the CDN delivering site assets, as Turnstile (its CAPTCHA replacement), as Cloudflare Web Analytics (a privacy-first analytics tool), and as Bot Management challenge scripts. Each of these components has different privacy and consent characteristics.

What This Script Does

Cloudflare Turnstile

Turnstile is Cloudflare's CAPTCHA alternative (challenges.cloudflare.com/turnstile/v0/api.js). It runs a series of non-interactive browser challenges to distinguish humans from bots. Turnstile does not use cookies for tracking and explicitly avoids building behavioral profiles. It collects browser signals (user-agent, execution environment, proof-of-work challenge responses) and sends them to Cloudflare for verification. The challenge result is returned as a one-time token.

Cloudflare Web Analytics

Cloudflare Web Analytics (static.cloudflareinsights.com/beacon.min.js) is a lightweight, privacy-respecting analytics script. It uses no cookies, no fingerprinting, and no cross-site tracking. It collects aggregate page view counts, Core Web Vitals metrics, and geographic breakdowns from IP-derived country data (the IP itself is not stored). Cloudflare Web Analytics is explicitly designed as a GDPR-compliant, cookieless analytics solution.

Bot Management

On sites using Cloudflare's enterprise Bot Management, a challenge script may fire to verify browser legitimacy. This uses JavaScript execution challenges and behavioral signals (timing, event patterns) to score the request.

Cookies Set

  • __cf_bm — First-party cookie (set under the site's own domain by Cloudflare). Bot management cookie used to identify and manage automated traffic. Duration: 30 minutes.
  • cf_clearance — First-party cookie. Set after a visitor passes a Cloudflare security challenge (CAPTCHA or browser check). Duration: 1 day.
  • _cfuvid — First-party cookie. Used by Cloudflare rate limiting to identify a visitor within a rate limit window. Duration: session.

Turnstile and Web Analytics set no persistent tracking cookies.

Domains Contacted

  • challenges.cloudflare.com — Turnstile challenge API and verification endpoint.
  • static.cloudflareinsights.com — Web Analytics beacon endpoint.
  • Cloudflare's CDN operates at the network layer and does not require additional JavaScript for CDN functionality.

Data Collected Per Interaction

  • For Turnstile: browser execution environment signals, user-agent, proof-of-work results, page URL. No persistent user identity.
  • For Web Analytics: page URL, country (from IP, not stored), Core Web Vitals metrics (LCP, FID, CLS), browser and OS type. No IP storage, no cookies, no cross-site tracking.
  • For Bot Management / __cf_bm: browser interaction timing and behavioral signals. Cookie duration is 30 minutes and is strictly functional.

Consent & Compliance

GDPR / ePrivacy: The __cf_bm and cf_clearance cookies are security and anti-abuse cookies, not tracking cookies. Security and fraud prevention cookies can qualify as strictly necessary under the ePrivacy Directive's Article 5(3) exemption. Cloudflare Web Analytics requires no consent as it collects no personal data and sets no cookies. Turnstile is designed to be a consent-free CAPTCHA replacement and explicitly avoids tracking. Most EU DPA guidance supports treating bot management and security cookies as strictly necessary.

CCPA / CPRA: Cloudflare processes data as a service provider under its customer agreement. Security and performance data processing is not a sale of personal information. Cloudflare is certified under the EU-US DPF and maintains comprehensive SCCs.

EU-US Data Privacy Framework: Cloudflare is certified under the EU-US DPF for EU-to-US personal data transfers.

Consent Category: Essential (security and CDN) / Analytics (Web Analytics — cookieless, no consent required).

Should You Block This Without Consent?

No. Cloudflare's security cookies (__cf_bm, cf_clearance) are strictly necessary for protecting the website from bot attacks and fraud. They do not track users across sites or build behavioral profiles. Cloudflare Web Analytics is cookieless and privacy-preserving by design. None of Cloudflare's standard components require prior user consent under GDPR, ePrivacy, or CCPA frameworks.

Visit website

Products (3)

Cloudflare Web Analytics
Cloudflare Web Analytics
Cloudflare Web Analytics is a privacy-focused web analytics service. Scripts track page views and Core Web Vitals performance metrics without setting cookies or collecting personally identifiable information. Data is aggregated at the edge and does not build individual visitor profiles.
Cloudflare Turnstile
Cloudflare Turnstile
Cloudflare Turnstile is a CAPTCHA alternative for bot detection and spam prevention. Scripts analyze browser behavioral signals, attributes, and interaction patterns to verify human visitors without requiring visual puzzle-solving challenges. Sets minimal functional tokens; does not build visitor profiles.
Cloudflare Zaraz
Cloudflare Zaraz
Cloudflare Zaraz is a third-party script manager that runs marketing and analytics tags server-side through Cloudflare's edge network. Scripts are proxied rather than loaded directly from third-party domains, reducing client-side tracking exposure and improving page load performance.

Consent Categories

Essential
Analytics

Also Known As

Cloudflare Turnstilecf_clearance cookieCloudflare Web AnalyticsCloudflare bot managementCloudflare CAPTCHACloudflare WAF scriptTurnstile widget

Industries

Computer SecurityComputers Electronics and Technology

Tracked Domains (2)

cloudflare.comAnalytics
cloudflarestream.comEssential

Frequently Asked Questions

Is consent required for Cloudflare on my website?

No. Cloudflare's security cookies (__cf_bm, cf_clearance) are strictly necessary for bot protection and fraud prevention. Cloudflare Web Analytics is cookieless and sets no identifiers. Neither component requires prior user consent.

What cookies does Cloudflare set?

__cf_bm (30-min, bot management), cf_clearance (1-day, set after passing a security challenge), and _cfuvid (session, rate limiting). Turnstile and Web Analytics set no cookies. Scripts load from challenges.cloudflare.com and static.cloudflareinsights.com.

How does ConsentStack classify Cloudflare?

ConsentStack classifies Cloudflare as essential. Security cookies like __cf_bm and cf_clearance are never blocked. Cloudflare Web Analytics is classified as analytics but is cookieless, so ConsentStack can load it without a consent gate if desired.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Cloudflare

ConsentStack automatically detects and manages Cloudflare trackers so your site stays compliant with global privacy regulations.

Get started free