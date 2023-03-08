Understand site traffic

2 min read

Another characteristic to consider is your application’s traffic. Several aspects of your traffic might affect how you implement Bot management.

​​ Bot attacks

If you are experiencing bot attacks, consider the nature of the attack.

These types of actions fall into two general categories:

A bot submitting data through a form Credential stuffing on login endpoints Content spam Inventory hoarding Credit card stuffing

A bot viewing data intended for human eyes only Content scraping Ad click fraud Email address harvesting



​​ Implementation details

If bots are submitting data through forms, you should likely be creating focused rules to block traffic on specific endpoints.

If bots are viewing data intended for human eyes only, you may want broader rules limiting bot interactions across your application.

​​ Verified bots

Cloudflare maintains an internal list of Verified Bots that are associated with search engine optimization (SEO), website monitoring, and more.

You can use this list to prevent any bot protection measures from impacting otherwise helpful bots, such as search crawlers.

For a partial list of verified bots, refer to Cloudflare Radar External link icon Open external link .

​​ Implementation details

Verified bots are blocked by default when you create firewall rules using cf.bot_management.score .

To allow verified bots, you would need to include not (cf.bot_management.verified_bot) as part of a firewall rule.

​​ Automated traffic

By default, Bot management rules will block non-browser traffic.

This can be problematic if your application receives a lot of API traffic, or if you have tools related to:

Indexing content for search.

Auditing content (links, headers, etc.).

Monitoring uptime.

Forward proxying traffic, such as secure web gateways.

​​ Implementation details

Depending on your application, you may want to write rules that allow specific types of automated traffic or rules that allow all automated traffic to specific endpoints ( /api , for example).

In some cases, APIs might be better suited for API Shield than Bot Management.

You should also take time to review Bot analytics to make sure you fully understand the automated traffic reaching your site. Often, you might discover services maintained by a different team or other surprises.

Pay specific attention to:

Which endpoints are being targeted.

The top non-Mozilla user agents.

Traffic from Outlook or Office user-agents.

Traffic from cloud-based Secure Web Gateways (ASNs labeled with the proxy provider).

Traffic from on-premises forward proxies.

Whether requests come from a predictable IP address and ASN, or have a similar JA3 fingerprint .