Challenge bad bots
Cloudflare’s Bot Management feature scores the likelihood that a request originates from a bot.
Bot score ranges from 1 through 99. A low score indicates the request comes from a script, API service, or an automated agent. A high score indicates that a human issued the request from a standard desktop or mobile web browser.
These examples use:
cf.bot_management.score
to target requests from botscf.bot_management.verified_bot
to identify requests from known good bots ↗cf.bot_management.ja3_hash
to target specific JA3 Fingerprints
For best results:
- Use Bot Analytics to learn about your traffic before applying rules.
- Start small and increase your bot threshold over time.
Your rules may also vary based on the nature of your site and your tolerance for false positives.
The following three rules provide baseline protection against malicious bots:
Rule 1:
- Expression:
(cf.bot_management.verified_bot)
- Action: Skip:
- All remaining custom rules
Rule 2:
- Expression:
(cf.bot_management.score eq 1)
- Action: Block
Rule 3:
- Expression:
(cf.bot_management.score gt 1 and cf.bot_management.score lt 30)
- Action: Managed Challenge
When a request is definitely automated (score of 1) or likely automated (scores 2 through 29) and is not on the list of known good bots, Cloudflare blocks the request.
- Expression:
(cf.bot_management.score lt 30 and not cf.bot_management.verified_bot)
- Action: Block
Since Bot Management detects automated users, you need to explicitly allow your good automated traffic — this includes your APIs ↗ and partner APIs.
This example offers the same protection as the browser-only rule, but allows automated traffic to your API.
- Expression:
(cf.bot_management.score lt 30 and not cf.bot_management.verified_bot and not starts_with(http.request.uri.path, "/api"))
- Action: Block
Since Bot Management can be more sensitive to mobile traffic, you may want to add in additional logic to avoid blocking legitimate requests.
If you are handling requests from your own mobile application, you could potentially allow it based on its specific JA3 fingerprint.
- Expression:
(cf.bot_management.ja3_hash eq "df669e7ea913f1ac0c0cce9a201a2ec1")
- Action: Skip:
- All remaining custom rules
Otherwise, you could set lower thresholds for mobile traffic. The following rules would block definitely automated mobile traffic and challenge likely automated traffic.
Rule 1:
- Expression:
(cf.bot_management.score lt 2 and http.user_agent contains "App_Name 2.0")
- Action: Block
Rule 2:
- Expression:
(cf.bot_management.score lt 30 and http.user_agent contains "App_Name 2.0")
- Action: Managed Challenge
If your domain handles mobile, browser, and API traffic, you would want to arrange these example rules in the following order:
- Rule for API traffic
- Rule(s) for mobile traffic
- Rule for browser traffic
Static resources are protected by default when you create custom rules using the cf.bot_management.score
field.
To exclude static resources, include not (cf.bot_management.static_resource)
in your rule expression. For details, refer to Static resource protection.
From there, you could customize your custom rules based on specific request paths (/login
or /signup
), common traffic patterns, or many other characteristics.
Make sure you review Bot Analytics and Security Events to check if your rules need more tuning.