Plans — Free
To learn more about features and functionality, select a plan. Free features
Plan name | Bot Fight Mode |
Availability | All Free customers |
Enablement | Toggle in Firewall > Bots |
Type of bots detected | Simple bots (from cloud ASNs) and headless browsers |
Actions | Cloudflare issues a computationally expensive challenge |
Additional control | Applied to all traffic across a domain |
Bot detection engines
Heuristics
The Heuristics engine processes all requests. Cloudflare conducts a number of heuristic checks to identify automated traffic, and requests are matched against a growing database of malicious fingerprints. JavaScript detections
The JavaScript Detections (JSD) engine identifies headless browsers and other malicious fingerprints. This engine performs a lightweight, invisible JavaScript injection on the client side of any request while honoring our strict privacy standards. We do not collect any personally identifiable information during the process. The JSD engine either blocks, challenges, or passes requests to other engines.
JSD is automatically enabled with Bot Fight Mode.
Notes on detection
Cloudflare uses the__cf_bm cookie
to identify bots. For more details, refer to Cloudflare Cookies. Considerations
Bot Fight Mode and Super Bot Fight Mode use the same underlying technology that powers our Bot Management product. Specifically, these products:
- Protect entire domains without endpoint restrictions
- Cannot be customized, adjusted, or reconfigured via firewall rules
Although these products are designed to fight malicious actors on the Internet, they may challenge API or mobile app traffic. For more granular control, upgrade to Bot Management for Enterprise.
How do I get started?
To get started, review our setup guides. If you have any questions, visit the community to engage with other Cloudflare users.