Bot Management

Bot Management for Enterprise is a paid add-on that provides sophisticated bot protection for your domain. Customers can identify automated traffic, take appropriate action, and view detailed analytics within the dashboard.

This Enterprise product provides the most flexibility to customers by:

• Generating a bot score of 1-99 for every request. Scores below 30 are commonly associated with bot traffic.
• Allowing customers to take action on this score with WAF custom rules or Workers.
• Allowing customers to view this score in Bot Analytics or Logs.

Enable Bot Management for Enterprise

Bot Management is automatically enabled for Enterprise zones entitled with the add-on.

To enable a Bot Management ↗ trial on Enterprise zones without the Bot Management add-on entitled:

1. Log in to your Cloudflare dashboard ↗ and select your account and domain.
2. Go to Security > Bots.
3. Select Add Bot Management.

Note

If you are not seeing Bot Management enabled on your zone or if you still see Add Bot Management on the Cloudflare dashboard, contact your account team for the proper entitlements.

Setup

Cloudflare recommends that you deploy the following basic settings and customize them according to the traffic in your zone.

Enable the latest Machine Learning version

Cloudflare encourages Enterprise customers to enable auto-updates to its Machine Learning models to get the newest bot detection models as they are released.

To enable auto-updates:

1. Log in to the Cloudflare dashboard and select your account and domain.
2. Go to Security > Bots.
3. Select Configure Bot Management.
4. Enable Auto-updates to the Machine Learning Model.

Block AI Bots

AI Bots will block Definitely Automated bots and Verified AI Bots, such as AI Search, AI Assistant, AI Crawler, or an AI Archiver.

To block AI bots:

1. Log in to the Cloudflare dashboard ↗ and select your account and domain.
2. Go to Security > Bots.
3. Select Configure Bot Management.
4. Enable Block AI bots.

Note

You can view blocked AI bot traffic via Security Analytics.

Enable Javascript detections

Enabling JavaScript detections validates that the browser can run JavaScript, and is stored in the cf.bot_management.js_detection.passed variable.

To enable JavaScript Detections:

1. Log in to your Cloudflare dashboard ↗ and select your account and domain.
2. Go to Security > Bots.
3. Select Configure Bot Management.
4. For JavaScript Detections, switch the toggle to On.

Deploy default templates

Cloudflare has default templates ↗ for definite bots, which have a bot score of 1, and likely bots which have a bot score of 2 to 29. In our templates, Cloudflare recommends to allow verified bots such as Google SEO Crawler and access to cached static resources.

• Definite Bots template ↗: Targets malicious bot traffic while ignoring verified bots and routes delivering static content.

  (cf.bot_management.score eq 1 and not cf.bot_management.verified_bot and not cf.bot_management.static_resource)

• Likely Bots template ↗: Targets traffic likely to be malicious bots while ignoring verified bots and routes with static content. It may contain a small amount of non-bot traffic.

  (cf.bot_management.score ge 2 and cf.bot_management.score le 29 and not cf.bot_management.verified_bot and not cf.bot_management.static_resource)

• (Optional) JavaScript detections template ↗: If you enabled JavaScript detections, then set up a managed challenge, make sure to add a method and URI path. JavaScript detections improves security for URLs that should only expect JavaScript-enabled clients.

  (not cf.bot_management.js_detection.passed and http.request.method eq "" and http.request.uri.path in {""})