Cloudflare Docs
Bots
Edit this page on GitHub
Set theme to dark (⇧+D)

Plans — Pro

To learn more about features and functionality, select a plan.

Free Pro Business Bot Management for Enterprise

​​ Pro features

Plan nameSuper Bot Fight Mode
AvailabilityAll Pro customers
EnablementToggle in Firewall > Bots
Type of bots detectedSimple bots and headless browsers
ActionsCustomer chooses whether to allow, block, or challenge
AnalyticsLimited analytics available in a Bot Report
Additional controlApplied to all traffic across a domain

​​ Bot detection engines

​​ Heuristics

The Heuristics engine processes all requests. Cloudflare conducts a number of heuristic checks to identify automated traffic, and requests are matched against a growing database of malicious fingerprints.

​​ Account takeover detections

Using the detection IDs below, you can detect and mitigate account takeover attacks. You can monitor the number of login requests for a given software and network combination, as well as the percentage of login errors. When it reaches a suspicious level, you can prevent these attacks by using custom rules, rate limiting rules, and Workers.

Detection IDDescription
201326592Observes all login failures to the zone.
201326593Observes all login traffic to the zone.

​​ JavaScript detections

The JavaScript Detections (JSD) engine identifies headless browsers and other malicious fingerprints. This engine performs a lightweight, invisible JavaScript injection on the client side of any request while honoring our strict privacy standards. We do not collect any personally identifiable information during the process. The JSD engine either blocks, challenges, or passes requests to other engines.

JSD is completely optional. To adjust your settings, configure Super Bot Fight Mode from Security > Bots.

​​ Notes on detection

Cloudflare uses the __cf_bm cookie to smooth out the bot score and reduce false positives for actual user sessions.

The Bot Management cookie measures a single user’s request pattern and applies it to the machine learning data to generate a reliable bot score for all of that user’s requests.

For more details, refer to Cloudflare Cookies.

​​ Considerations

Bot Fight Mode and Super Bot Fight Mode use the same underlying technology that powers our Bot Management product. Specifically, these products:

  • Protect entire domains without endpoint restrictions
  • Cannot be customized, adjusted, or reconfigured via WAF custom rules

Although these products are designed to fight malicious actors on the Internet, they may challenge API or mobile app traffic. For more granular control, upgrade to Bot Management for Enterprise.

​​ How do I get started?

To get started, review our setup guides. If you have any questions, visit the community to engage with other Cloudflare users.