Security features interoperability
Cloudflare applies multiple security features to every incoming request. Each feature runs at a specific stage, and the order determines which feature acts first. Understanding this order helps you avoid conflicts and reduce false positives.
Cloudflare security features powered by the Ruleset Engine run in a fixed sequence of phases. When a request arrives, it passes through each phase in order. If a rule takes a terminating action (for example, Block or Managed Challenge), the request stops and does not reach later phases.
The security-related request phases, in execution order, are:
| Phase name | Product |
|---|---|
ddos_l7 | HTTP DDoS Attack Protection |
http_request_firewall_custom | Custom rules |
http_ratelimit | Rate limiting rules |
http_request_firewall_managed | Managed Rules |
http_request_sbfm | Super Bot Fight Mode |
Within each phase, account-level rulesets run before zone-level rulesets.
The Ruleset Engine powers many Cloudflare products beyond security. Refer to Phases list for the complete list of request and response phases.
The following security features are not powered by the Ruleset Engine and are evaluated independently:
- IP Access Rules
- Zone Lockdown
- User Agent Blocking
- Browser Integrity Check
- Hotlink Protection
- Security Level
Because these features run independently, they do not follow the phase order described above.
DDoS protection is always on for all Cloudflare plans. L7 HTTP DDoS Attack Protection detects and mitigates application-layer DDoS attacks. L3/4 Network-layer DDoS Attack Protection handles network-layer attacks. You do not need to turn on or configure anything for DDoS protection to work.
Custom rules are rules you define. They run in the http_request_firewall_custom phase and support actions like Block, Managed Challenge, Skip, and Log. You can reference bot score fields, WAF attack score fields, and all standard request fields in your expressions.
Rate limiting rules throttle or block traffic that exceeds a defined request rate. They run in the http_ratelimit phase, after custom rules.
Managed Rules are pre-configured rulesets maintained by Cloudflare. These include the Cloudflare Managed Ruleset and the OWASP Core Ruleset. They run in the http_request_firewall_managed phase.
Bot Fight Mode is available on Free plans. It is a simple on/off toggle that challenges traffic matching patterns of known bots. You cannot customize its behavior or skip it with custom rules.
Super Bot Fight Mode (SBFM) is available on Pro, Business, and Enterprise plans (without the Bot Management add-on). It runs in the http_request_sbfm phase and offers more control than Bot Fight Mode. You can configure separate actions for Definitely automated, Likely automated, and Verified bots traffic. You can skip SBFM for specific requests using the Skip action in custom rules.
Bot Management is an Enterprise add-on. It generates a bot score from 1 to 99 for every request. Lower scores indicate more automated traffic. You write custom rules using the cf.bot_management.score field to take action based on this score. For more information, refer to Bot Management variables.
These rules govern how security features interact:
- Terminating actions stop the request evaluation workflow. If a rule blocks or challenges a request, Cloudflare does not evaluate later phases for that request.
- Custom rules run before SBFM. A terminating action in custom rules prevents Super Bot Fight Mode from evaluating the request.
- Skip actions bypass later phases. You can use the Skip action in custom rules to bypass rate limiting rules (
http_ratelimit), Super Bot Fight Mode (http_request_sbfm), and Managed Rules (http_request_firewall_managed). - Bot Fight Mode cannot be skipped. Because Bot Fight Mode is not part of the Ruleset Engine, custom rules cannot skip it. If you need to exempt traffic from bot protection, upgrade to Super Bot Fight Mode or Bot Management.
- Bot Management scores are available in custom rules. Enterprise customers with Bot Management can use
cf.bot_management.scorein custom rule expressions to define custom thresholds per path, user agent, or any other request property.
A Free plan includes DDoS protection and Bot Fight Mode.
- DDoS protection runs automatically on every request.
- Turn on Bot Fight Mode under Security > Settings to challenge known bot patterns.
- Turn on Block AI Bots to prevent AI crawlers from scraping your content.
Because Bot Fight Mode cannot be skipped or customized, you cannot create exceptions for specific bots. If Bot Fight Mode causes false positives for legitimate automated traffic (for example, monitoring services or payment processors), consider upgrading to a Pro or Business plan that includes Super Bot Fight Mode.
A Pro or Business plan adds Super Bot Fight Mode, custom rules, and Managed Rules.
- DDoS protection runs automatically.
- Turn on Super Bot Fight Mode to block automated and likely automated traffic.
- Deploy Managed Rules for protection against known vulnerabilities like SQL injection and cross-site scripting.
- Create custom rules with the Skip action to allow legitimate automated traffic while SBFM blocks bad bots everywhere else. Use the following rule configuration:
- Set the rule expression to match the IP addresses or user agents of your payment processor.
- Set the action to Skip, and select Super Bot Fight Mode.
An Enterprise plan with the Bot Management add-on provides the most flexibility.
- DDoS protection runs automatically.
- Bot Management generates a bot score on every request.
- Create custom rules that reference
cf.bot_management.scoreto define your own thresholds. For example, block requests with a bot score below 30 for website paths, while allowing all scores on API paths that authenticated partners use. - Use rate limiting rules to throttle abusive traffic patterns.
- Deploy Managed Rules to protect against known vulnerabilities.
When security features interfere with legitimate traffic, use the following steps to identify and resolve the issue.
Use Security Events to identify the feature that blocked a request:
-
In the Cloudflare dashboard, go to the Analytics page.
Go to Analytics -
Select the Events tab.
-
Find the blocked request in the log.
-
Check the Service field to determine which product took the action. This field tells you which feature to adjust.
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > Events.
- Find the blocked request in the log.
- Check the Service field to determine which product took the action. This field tells you which feature to adjust.
Bot Fight Mode does not support exceptions. You have two options:
- Turn off Bot Fight Mode entirely under Security > Settings.
- Upgrade to a plan with Super Bot Fight Mode, which supports skip rules.
For more information, refer to Handle false positives from Bot Fight Mode or Super Bot Fight Mode.
Create a custom rule with the Skip action to bypass SBFM for the affected traffic:
-
In the Cloudflare dashboard, go to the Security rules page.
Go to Security rules -
Select Create rule > Custom rules.
-
Define an expression that matches the legitimate traffic (for example, a specific IP range or user agent).
-
Set the action to Skip and select Super Bot Fight Mode.
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > WAF > Custom rules.
- Select Create rule.
- Define an expression that matches the legitimate traffic (for example, a specific IP range or user agent).
- Set the action to Skip and select Super Bot Fight Mode.
For more information, refer to Handle false positives from Bot Fight Mode or Super Bot Fight Mode.
If a managed rule blocks legitimate traffic:
- Create a WAF exception to skip specific rules or rulesets for matching requests.
- Disable individual rules within a managed ruleset if they do not apply to your application.
For detailed guidance, refer to Troubleshoot managed rules.