How do I block malicious User-Agents with Cloudflare?

User-Agent (UA) Rules

User Agent rules match against the User-Agent request header sent by the browser or application accessing your site. UA rules are applied against the entire domain. Wildcards (*) are not supported in UA rules.

UA rules are applied after URL lockdown rules. If you permit an IP address using lockdown, the UA rules will be skipped for the matching URLs.

UA rules can have one the following actions applied: block, challenge (i.e., CAPTCHA), js_challenge.

You can currently create User-agent rules using our UI. 

Screenshot_from_2018-03-21_11-23-53.png

Here is an example rule to block the "Bad Bot" web spider.

Screenshot_from_2018-03-21_11-23-43.png

You can also create rules using our Client API. 

 

 $ curl -XPOST -H "X-Auth-Email: $MYEMAIL" -H "X-Auth-Key: $MYAPIKEY" -H "Content-Type: application/json" https://api.cloudflare.com/client/v4/zones/$MYZONETAG/firewall/ua_rules

{
  "description": "Block Bad Bot",
  "mode": "block",
  "configuration":
  {
      "target": "ua",
      "value": "BadBot/1.0.2 (+http://bad.bot)"
  }
}

 The maximum number of UA rules you can create is based on plan type. 

Plan Max Rules
Free 10
Pro 50
Business 250
Enterprise 1,000

 

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk