How do I block malicious User-Agents with Cloudflare?

User-Agent (UA) Rules

User Agent rules match against the User-Agent headers sent by the browser or application accessing your site. UA rules are applied against the entire domain.

UA rules are applied after URL lockdown rules. If you permit an IP address using lockdown, the UA rules will be skipped for the matching URLs.

UA rules can have one the following actions applied: block, challenge (i.e., CAPTCHA), js_challenge, or whitelist. The whitelist action prevents Browser Integrity check from blocking requests from approved User-Agents. 

You can currently create User-agent rules using our Client API. Here is an example API call to block the "Bad Bot" web spider.


 $ curl -XPOST -H "X-Auth-Email: $MYEMAIL" -H "X-Auth-Key: $MYAPIKEY" -H "Content-Type: application/json"$MYZONETAG/firewall/ua_rules

  "description": "Block Bad Bot",
  "mode": "block",
      "target": "ua",
      "value": "BadBot/1.0.2 (+"

 The maximum number of UA rules you can create is based on plan type. 

Plan Max Rules
Free 10
Pro 50
Business 250
Enterprise 1,000


Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk