Cloudflare Docs
Firewall Rules
Visit Firewall Rules on GitHub
Set theme to dark (⇧+D)

Challenge bad bots

Cloudflare’s Bot Management feature scores the likelihood that a request originates from a bot.

Scores range from 1 through 99. Low scores indicate the request comes from a script, API service, or an automated agent. High scores indicate that a human issued the request from a standard desktop or mobile web browser.

These examples use:

​​ Suggested rules

For best results:

  • Use Bot Analytics to learn about your traffic before applying rules
  • Start small and increase your bot threshold over time

Your rules may also vary based on the nature of your site and your tolerance for false positives.

​​ Protect browser endpoints

When a request is definitely automated (score of 1) or likely automated (scores 2 through 29) and is not on the list of known good bots, Cloudflare blocks the request.

ExpressionAction
(cf.bot_management.score lt 30) and not (cf.bot_management.verified_bot)Block

​​ Exempt API traffic

Since Bot Management detects automated users, you need to explicitly allow your good automated traffic⁠ — this includes your APIs and partner APIs.

This example offers the same protection as the browser-only rule, but allows automated traffic to your API.

ExpressionAction
(cf.bot_management.score lt 30) and not (cf.bot_management.verified_bot) and not (http.request.uri.path contains "/api")Block

​​ Adjust for mobile traffic

Since Bot Management can be more sensitive to mobile traffic, you may want to add in additional logic to avoid blocking legitimate requests.

If you are handling requests from your own mobile application, you could potentially allow it based on its specific JA3 fingerprint.

ExpressionAction
(cf.bot_management.ja3_hash eq df669e7ea913f1ac0c0cce9a201a2ec1)Allow

Otherwise, you could set lower thresholds for mobile traffic. The following rules would block definitely automated mobile traffic and challenge likely automated traffic.

ExpressionAction
(cf.bot_management.score lt 2) and (http.user_agent contains "App_Name 2.0")Block
(cf.bot_management.score lt 30) and (http.user_agent contains "App_Name 2.0")Challenge

​​ Layer rules

If your domain saw mobile, browser, and API traffic, you would want to arrange these example rules in the following order:

  • API

  • Mobile:

    • If consistent JA3 fingerprint, set Allow rule.
    • If not, put the Block rule first and then the Challenge rule.
  • Browser - Block

​​ Static resource protection

Static resources are protected by default when you create firewall rules using cf.bot_management.score.

To exclude static resources, include not (cf.botManagement.staticResource) as part of your firewall rule. For more details, refer to Static resource protection.

​​ Additional considerations

From there, you could customize your firewall rules based on specific request paths (/login or /signup), common traffic patterns, or many other characteristics.

Just make sure to set aside time to review Bot Analytics and Firewall Events to check if your rules need additional tuning.