Understanding Cloudflare User Agent Blocking

​​ Overview

User Agent Blocking (UA) rules block specific browser or web application  User-Agent request headers Open external link .  UA rules apply to the entire domain instead of individual subdomains.  UA rules are applied after  Zone Lockdown rules Open external link , so permitting an IP address via Zone Lockdown skips UA rules.

The maximum number of allowed UA rules is based on plan type: 

• Free: 10
• Lite: 50
• Pro: 50
• Pro Plus: 250
• Business: 250
• Enterprise: 1,000

​​ Create a User Agent Blocking rule

1. Log in to your Cloudflare account.

2. Select the appropriate domain.

3. Navigate to Security > WAF > Tools.

4. Under User Agent Blocking, click Create Blocking Rule. 

5. Enter the Name/Description.

6. Select an applicable Action of either Block, Interactive Challenge, Managed Challenge, or JS challenge.

7. Enter the User Agent.  For example, to block the Bad Bot web spider:

BadBot/1.0.2 (+http://bad.bot)

Note: Wildcards (*) are not supported.

8. Click Save and Deploy.

​​ Related resources

• Understanding your site protection options Open external link
• Understanding Cloudflare Zone Lockdown Open external link