3 min read
These detections are optional, but lead to greater overall accuracy.
This detection technique gathers general data about the machines reaching Cloudflare. For example, Cloudflare might learn that a particular user is accessing Cloudflare via Google Chrome on a MacBook Pro. Because there are millions of people using Google Chrome on a MacBook Pro, Cloudflare cannot identify specific individuals. Cloudflare also takes steps to anonymize and phase out data for added privacy.
- Log in to your Cloudflare dashboard and select your account and domain.
- Go to Security > Bots.
- Select Configure Bot Management.
cf.bot_management.js_detection.passed field in Firewall rules (or the
request.cf.botManagement.js_detection.passed variable in Workers).
When adding this field to Firewall rules, use it:
- On endpoints expecting browser traffic (avoiding native mobile applications or websocket endpoints).
Content Security Policies (CSPs)
- Ensure that anything under
/cdn-cgi/challenge-platform/is allowed. Your CSP should allow scripts served from your origin domain (
- If your CSP uses a
noncefor script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header.
- If your CSP does not use
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-b123b8a70+4jEj+d6gWI9U6IilUJIrlnRJbRR/uQl2Jc='), or a nonce ('nonce-...') is required to enable inline execution.We highly discourage the use of
unsafe-inlineand instead recommend the use CSP
noncesin script tags which we parse and support in our CDN.
Unit 3 of 5