Challenge bad bots
Cloudflare’s Bot Management feature scores the likelihood that a request originates from a bot.
Scores range from 1 through 99. Low scores indicate the request comes from a script, API service, or an automated agent. High scores indicate that a human issued the request from a standard desktop or mobile web browser.
These examples use:
- dynamic field to target requests from bots
cf.bot_management.verified_botto identify requests from
cf.bot_management.ja3_hashto target specific
For best results:
- Use to learn about your traffic before applying rules
- Start small and increase your bot threshold over time
Protect browser endpoints
When a request is definitely automated (score of 1) or likely automated (scores 2 through 29) and is not on the list of known good bots, Cloudflare blocks the request.
Exempt API traffic
Since Bot Management detects automated users, you need to explicitly allow your good automated traffic — this includes your APIs and partner APIs.
This example offers the same protection as the browser-only rule, but allows automated traffic to your API.
Adjust for mobile traffic
Since Bot Management can be more sensitive to mobile traffic, you may want to add in additional logic to avoid blocking legitimate requests.
Otherwise, you could set lower thresholds for mobile traffic. The following rules would block definitely automated mobile traffic and challenge likely automated traffic.
If your domain saw mobile, browser, and API traffic, you would want to arrange these example rules in the following order:
- If consistent JA3 fingerprint, set Allow rule.
- If not, put the Block rule first and then the Challenge rule.
Browser - Block
Static resource protection
Static resources are protected by default when you create firewall rules using
From there, you could customize your firewall rules based on specific request paths (
/signup), common traffic patterns, or many other characteristics.