How do I block malicious User-Agents with Cloudflare?

User-Agent (UA) Rules

User Agent rules match against the User-Agent request header sent by the browser or application accessing your site. UA rules are applied against the entire domain. Wildcards (*) are not supported in UA rules.

UA rules are applied after URL lockdown rules. If you permit an IP address using lockdown, the UA rules will be skipped for the matching URLs.

UA rules can have one the following actions applied: block, challenge (i.e., CAPTCHA), js_challenge.

You can currently create User-agent rules using our UI. 

Here is an example rule to block the "Bad Bot" web spider.


You can also create rules using our Client API. 


 $ curl -XPOST -H "X-Auth-Email: $MYEMAIL" -H "X-Auth-Key: $MYAPIKEY" -H "Content-Type: application/json"$MYZONETAG/firewall/ua_rules

  "description": "Block Bad Bot",
  "mode": "block",
      "target": "ua",
      "value": "BadBot/1.0.2 (+"

 The maximum number of UA rules you can create is based on plan type. 

Plan Max Rules
Free 10
Pro 50
Business 250
Enterprise 1,000


Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk