Bot Management

Bot Management for Enterprise is a paid add-on that provides sophisticated bot protection for your domain. Customers can identify automated traffic, take appropriate action, and view detailed analytics within the dashboard.

This Enterprise product provides the most flexibility to customers by:

• Generating a bot score of 1-99 for every request. Scores below 30 are commonly associated with bot traffic.
• Allowing customers to take action on this score with WAF custom rules or Workers.
• Allowing customers to view this score in Bot Analytics or Logs.

Enable Bot Management for Enterprise

Bot Management is automatically enabled for Enterprise zones entitled with the add-on.

To enable a Bot Management ↗ trial on Enterprise zones without the Bot Management add-on entitled:

1. Log in to your Cloudflare dashboard ↗ and select your account and domain.
2. Go to Security > Bots.
3. Select Add Bot Management.

Note

If you are not seeing Bot Management enabled on your zone or if you still see Add Bot Management on the Cloudflare dashboard, contact your account team for the proper entitlements.

Setup

Cloudflare recommends that you deploy the following basic settings and customize them according to the traffic in your zone.

Enable the latest Machine Learning version

Cloudflare encourages Enterprise customers to enable auto-updates to its Machine Learning models to get the newest bot detection models as they are released.

To enable auto-updates:

1. Log in to the Cloudflare dashboard and select your account and domain.
2. Go to Security > Bots.
3. Select Configure Bot Management.
4. Enable Auto-updates to the Machine Learning Model.

Block AI Bots

AI Bots will block Definitely Automated bots and Verified AI Bots, such as AI Search, AI Assistant, AI Crawler, or an AI Archiver.

To block AI bots:

1. Log in to the Cloudflare dashboard ↗ and select your account and domain.
2. Go to Security > Bots.
3. Select Configure Bot Management.
4. Enable Block AI bots.

Note

You can view blocked AI bot traffic via Security Analytics.

Enable AI Labyrinth

AI Labyrinth decreases the accuracy and wastes the resources of AI Bots by confabulating articles on your website that are not visible to users.

To enable AI Labyrinth:

1. Log in to the Cloudflare dashboard ↗ and select your account and domain.
2. Go to Security > Bots.
3. Select Configure Bot Management.
4. Enable AI Labyrinth.

Enable Javascript Detections

Enabling JavaScript Detections validates that the browser can run JavaScript, and is stored in the cf.bot_management.js_detection.passed variable.

To enable JavaScript Detections:

1. Log in to your Cloudflare dashboard ↗ and select your account and domain.
2. Go to Security > Bots.
3. Select Configure Bot Management.
4. For JavaScript Detections, switch the toggle to On.

Deploy default templates

Cloudflare has default templates ↗ for definite bots, which we are very confident are automated (bot score 1) and likely bots that have many bot tells (bot score 2-29). In our templates, we recommend to allow verified bots like Google SEO crawler and access to static resources, which should be cached anyway.

• Definite Bots template ↗: Targets malicious bot traffic while ignoring verified bots and routes delivering static content.

  (cf.bot_management.score eq 1 and not cf.bot_management.verified_bot and not cf.bot_management.static_resource)

• Likely Bots template ↗: Targets traffic likely to be malicious bots while ignoring verified bots and routes with static content. It may contain a small amount of non-bot traffic.

  (cf.bot_management.score ge 2 and cf.bot_management.score le 29 and not cf.bot_management.verified_bot and not cf.bot_management.static_resource)

• (Optional) JavaScript detections template ↗: If you enabled JavaScript detections, then set up a managed challenge, make sure to add a method and URI path. JavaScript detections improves security for URLs that should only expect JavaScript-enabled clients.

  (not cf.bot_management.js_detection.passed and http.request.method eq "" and http.request.uri.path in {""})