- Log in to your Cloudflare dashboard and select your account and domain.
- Go to Security > Bots.
- Select Configure Bot Management.
For more details on how to set up bot protection, see the “Get started” section.
cf.bot_management.js_detection.passed field in Firewall rules (or the
request.cf.botManagement.js_detection.passed variable in Workers).
When using this field in Firewall rules, consider the following:
- Use it only on endpoints that expect browser traffic, excluding native mobile applications or websocket endpoints.
To use the
cf.bot_management.js_detection.passed field effectively, ensure the following:
- Avoid running this field on websocket endpoints.
- Use the field in a custom rules expression that only expects browser traffic.
- Always use the Managed Challenge action in case a legitimate user has not received the challenge due to network or browser issues.
- Avoid using the specified path in the rule builder as the first HTML page a user visits when browsing your site.
The presence of the
Note that the
If you enabled Bot Management before June 2020
If you have a Content Security Policy (CSP)
- Make sure that anything under “/cdn-cgi/challenge-platform/” is allowed in your CSP. Your CSP should allow scripts served from your origin domain (script-src self).
- If your CSP uses a nonce for script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header.