Cloudflare Docs
Learning Paths
Visit Learning Paths on GitHub
Set theme to dark (⇧+D)

Understand site traffic

  3 min read

Another characteristic to consider is your application’s traffic. Several aspects of your traffic might affect how you implement Bot management.

​​ Bot attacks

​​ Situations

If you are experiencing bot attacks, consider the nature of the attack.

These types of actions fall into two general categories:

  • A bot submitting data through a form

    • Credential stuffing on login endpoints
    • Content spam
    • Inventory hoarding
    • Credit card stuffing
  • A bot viewing data intended for human eyes only

    • Content scraping
    • Ad click fraud
    • Email address harvesting

​​ Implementation details

If bots are submitting data through forms, you should likely be creating focused rules to block traffic on specific endpoints.

If bots are viewing data intended for human eyes only, you may want broader rules limiting bot interactions across your application.

​​ Verified bots

​​ Situations

Cloudflare maintains an internal list of Verified Bots that are associated with search engine optimization (SEO), website monitoring, and more.

You can use this list to prevent any bot protection measures from impacting otherwise helpful bots, such as search crawlers.

For a partial list of verified bots, refer to Cloudflare Radar.

​​ Implementation details

Verified bots are blocked by default when you create WAF custom rules using cf.bot_management.score.

To allow verified bots, you would need to include not (cf.bot_management.verified_bot) as part of a custom rule.

​​ Automated traffic

​​ Situations

By default, Bot management rules will block non-browser traffic.

This can be problematic if your application receives a lot of API traffic, or if you have tools related to:

  • Indexing content for search.
  • Auditing content (links, headers, etc.).
  • Monitoring uptime.
  • Forward proxying traffic, such as secure web gateways.

​​ Implementation details

Depending on your application, you may want to write rules that allow specific types of automated traffic or rules that allow all automated traffic to specific endpoints (/api, for example).

In some cases, APIs might be better suited for API Shield than Bot Management.

You should also take time to review Bot analytics to make sure you fully understand the automated traffic reaching your site. Often, you might discover services maintained by a different team or other surprises.

Pay specific attention to:

  • Which endpoints are being targeted.
  • The top non-Mozilla user agents.
  • Traffic from Outlook or Office user-agents.
  • Traffic from cloud-based Secure Web Gateways (ASNs labeled with the proxy provider).
  • Traffic from on-premises forward proxies.
  • Whether requests come from a predictable IP address and ASN, or have a similar JA3 fingerprint.

​​ Mobile app traffic

Because of how mobile applications send requests, Bot Management has the potential to score mobile traffic differently than browser-based traffic.

​​ Implementation details

​​ Review analytics

Take extra time to review Bot analytics to evaluate how your mobile application traffic is performing.

You can generally identify mobile traffic with common user agent strings, though these strings may differ between iOS and Android. Malicious actors might also try to impersonate your mobile application traffic with user agent strings.

Cloudflare recommends being as specific as possible when analyzing traffic and creating rules, usually including a combination of user-agent values, IP addresses or ASNs, and JA3 fingerprints.

​​ Adjust rules

If your application uses mTLS, you can also integrate that certificate’s presence into your WAF custom rules using the cf.tls_client_auth.cert_verified field.

Native or progressive web applications should also only use Block as a rule action.