Cloudflare User Agent Blocking
User Agent Blocking rules block specific browser or web application
User-Agent request headers. These rules apply to the entire domain instead of individual subdomains.
User Agent Blocking rules are applied after Zone Lockdown rules. If you allow an IP address via Zone Lockdown, it will skip any User Agent Blocking rules.
Availability
Cloudflare User Agent Blocking is available on all plans. The number of available User Agent Blocking rules depends on your Cloudflare plan.
| Free | Pro | Business | Enterprise | |
Availability | Yes | Yes | Yes | Yes |
Number of rules | 10 | 50 | 250 | 1,000 |
Create a User Agent Blocking rule
Log in to the Cloudflare dashboard and select your account and domain.
Go to Security > WAF, and select the Tools tab.
Under User Agent Blocking, select Create blocking rule.
Enter a descriptive name for the rule in Name/Description.
In Action, select the action to perform: Managed Challenge, Block, JS Challenge, or Interactive Challenge.
Enter a user agent value in User Agent (wildcards such as
*are not supported). For example, to block the Bad Bot web spider, enterBadBot/1.0.2 (+http://bad.bot).Select Save and Deploy blocking rule.
Issue a POST request for the Create a User Agent Blocking rule operation.
For example:
$ curl "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/ua_rules" \
-H "X-Auth-Email: <EMAIL>" \
-H "X-Auth-Key: <API_KEY>" \
-H "Content-Type: application/json" \
-d '{ "description": "Block Bad Bot web spider", "mode": "block", "configuration": { "target": "ua", "value": "BadBot/1.0.2 (+http://bad.bot)" }}'