Bot Detection with JavaScript

JavaScript detections play a vital role in identifying bot requests for Cloudflare. These detections involve the implementation of a lightweight and invisible JavaScript code snippet, which conforms to Cloudflare’s privacy standards. It’s important to note that JavaScript is only injected in response to HTML page requests or page views, excluding AJAX calls. It does not affect API or mobile app traffic. Additionally, the code is not injected again until the current session expires. After page load, the script is deferred and uses a separate thread whenever possible to minimize performance impact.

The JavaScript snippets contain a source that points to the challenge platform, with paths starting with “/cdn-cgi/challenge-platform/…”.

What are JavaScript Detections?

JavaScript detections are implemented using a discreet JavaScript code snippet that follows Cloudflare’s privacy standards. They are injected only when HTML pages are requested and have a separate thread to ensure minimal impact on performance. The snippets contain a source that points to the challenge platform.

Enabling JavaScript Detections

For Free customers (Bot Fight Mode), JavaScript detections are automatically enabled and cannot be disabled.

For all other customers (Super Bot Fight Mode and Bot Management for Enterprise), JavaScript detections are optional.

To enable JavaScript detections:

  1. Log in to your Cloudflare dashboard and select your account and domain.
  2. Go to Security > Bots.
  3. Select Configure Bot Management.
  4. Toggle the switch to turn on JavaScript Detections.
See also  Shopping Cart JavaScript

For more details on how to set up bot protection, see the “Get started” section.

Enforcing execution of JavaScript Detections

Once you enable JavaScript detections, you can utilize the cf.bot_management.js_detection.passed field in Firewall rules (or the variable in Workers).

When using this field in Firewall rules, consider the following:

  • Use it only on endpoints that expect browser traffic, excluding native mobile applications or websocket endpoints.
  • Add it after a user’s first request to your application because Cloudflare requires at least one HTML request before injecting JavaScript detection.
  • Combine it with the Managed Challenge action to account for legitimate reasons a user might not have passed a JavaScript detection challenge (such as network issues, ad blockers, disabled JavaScript in the browser, or native mobile apps).


To use the cf.bot_management.js_detection.passed field effectively, ensure the following:

  • JavaScript detections are enabled on your zone.
  • You have updated your Content Security Policy headers for JavaScript detections.
  • Avoid running this field on websocket endpoints.
  • Use the field in a custom rules expression that only expects browser traffic.
  • Always use the Managed Challenge action in case a legitimate user has not received the challenge due to network or browser issues.
  • Avoid using the specified path in the rule builder as the first HTML page a user visits when browsing your site.

The presence of the cf.bot_management.js_detection.passed field indicates that a request has a Bot Management cookie with a JavaScript detection value, indicating that it passed the JavaScript detection test and received a likely human scoring result.

Note that the cf.bot_management.js_detection.passed field should never be used in a Firewall field that can run a user’s first request to a site. At least one HTML request is required before Cloudflare can inject JavaScript detection.

See also  ProgramMatek: Top JavaScript Development Companies


If you enabled Bot Management before June 2020

Customers who enabled Enterprise Bot Management before June 2020 do not have JavaScript detections enabled by default, unless specifically requested. However, these customers can still enable the feature in the Cloudflare dashboard.

If you have a Content Security Policy (CSP)

If you have a Content Security Policy (CSP), additional steps are necessary to implement JavaScript detections:

  • Make sure that anything under “/cdn-cgi/challenge-platform/” is allowed in your CSP. Your CSP should allow scripts served from your origin domain (script-src self).
  • If your CSP uses a nonce for script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header.
  • If your CSP does not use a nonce for script tags and JavaScript Detection is enabled, you may encounter a console error like “Refused to execute inline script.” To resolve this, you need to add the ‘unsafe-inline’ keyword, a hash, or a nonce to enable inline execution. However, we highly recommend using CSP nonces in script tags, which Cloudflare parses and supports in its CDN, instead of relying on ‘unsafe-inline’.