All skills
Skillintermediate

Bot Management Gotchas

**Cause:** Bot Management didn't run (internal Cloudflare request, Worker routing to zone (Orange-to-Orange), or request handled before BM (Redirect Rules, etc.)) **Solution:** Check request flow and ensure Bot Management runs in request lifecycle

Claude Code Knowledge Pack7/10/2026

Overview

Bot Management Gotchas

Common Errors

"Bot Score = 0"

Cause: Bot Management didn't run (internal Cloudflare request, Worker routing to zone (Orange-to-Orange), or request handled before BM (Redirect Rules, etc.))
Solution: Check request flow and ensure Bot Management runs in request lifecycle

"JavaScript Detections Not Working"

Cause: js_detection.passed always false or undefined due to: CSP headers don't allow /cdn-cgi/challenge-platform/, using on first page visit (needs HTML page first), ad blockers or disabled JS, JSD not enabled in dashboard, or using Block action (must use Managed Challenge)
Solution: Add CSP header Content-Security-Policy: script-src 'self' /cdn-cgi/challenge-platform/; and ensure JSD is enabled with Managed Challenge action

"False Positives (Legitimate Users Blocked)"

Cause: Bot detection incorrectly flagging legitimate users
Solution: Check Bot Analytics for affected IPs/paths, identify detection source (ML, Heuristics, etc.), create exception rule like (cf.bot_management.score lt 30 and http.request.uri.path eq "/problematic-path") with Action: Skip (Bot Management), or allowlist by IP/ASN/country

"False Negatives (Bots Not Caught)"

Cause: Bots bypassing detection
Solution: Lower score threshold (30 → 50), enable JavaScript Detections, add JA3/JA4 fingerprinting rules, or use rate limiting as fallback

"Verified Bot Blocked"

Cause: Search engine bot blocked by WAF Managed Rules (not just Bot Management)
Solution: Create WAF exception for specific rule ID and verify bot via reverse DNS

"Yandex Bot Blocked During IP Update"

Cause: Yandex updates bot IPs; new IPs unrecognized for 48h during propagation
Solution:

  1. Check Security Events for specific WAF rule ID blocking Yandex
  2. Create WAF exception:
    (http.user_agent contains "YandexBot" and ip.src in {<yandex-ip-range>})
    Action: Skip (WAF Managed Ruleset)
    
  3. Monitor Bot Analytics for 48h
  4. Remove exception after propagation completes

Issue resolves automatically after 48h. Contact Cloudflare Support if persists.

"JA3/JA4 Missing"

Cause: Non-HTTPS traffic, Worker routing traffic, Orange-to-Orange traffic via Worker, or Bot Management skipped
Solution: JA3/JA4 only available for HTTPS/TLS traffic; check request routing

JA3/JA4 Not User-Unique: Same browser/library version = same fingerprint

  • Don't use for user identification
  • Use for client profiling only
  • Fingerprints change with browser updates

Bot Verification Methods

Cloudflare verifies bots via:

  1. Reverse DNS (IP validation): Traditional method—bot IP resolves to expected domain
  2. Web Bot Auth: Modern cryptographic verification—faster propagation

When verifiedBot=true, bot passed at least one method.

Inactive verified bots: IPs removed after 24h of no traffic.

Detection Engine Behavior

EngineScoreTimingPlanNotes
HeuristicsAlways 1ImmediateAllKnown fingerprints—overrides ML
ML1-99ImmediateAllMajority of detections
Anomaly DetectionInfluencesAfter baselineEnterpriseOptional, baseline analysis
JavaScript DetectionsPass/failAfter JSPro+Headless browser detection
Cloudflare ServiceN/AN/AEnterpriseZero Trust internal source

Priority: Heuristics > ML—if heuristic matches, score=1 regardless of ML.

Limits

LimitValueNotes
Bot Score = 0Means not computedNot score = 100
First request JSD dataMay not be availableJSD data appears on subsequent requests
Score accuracyNot 100% guaranteedFalse positives/negatives possible
JSD on first HTML page visitNot supportedRequires subsequent page load
JSD requirementsJavaScript-enabled browserWon't work with JS disabled or ad blockers
JSD ETag strippingStrips ETags from HTML responsesMay affect caching behavior
JSD CSP compatibilityRequires specific CSPNot compatible with some CSP configurations
JSD meta CSP tagsNot supportedMust use HTTP headers
JSD WebSocket supportNot supportedWebSocket endpoints won't work with JSD
JSD mobile app supportNative apps won't passOnly works in browsers
JA3/JA4 traffic typeHTTPS/TLS onlyNot available for non-HTTPS traffic
JA3/JA4 Worker routingMissing for Worker-routed trafficCheck request routing
JA3/JA4 uniquenessNot unique per userShared by clients with same browser/library
JA3/JA4 stabilityCan change with updatesBrowser/library updates affect fingerprints
WAF custom rules (Free)5Varies by plan
WAF custom rules (Pro)20Varies by plan
WAF custom rules (Business)100Varies by plan
WAF custom rules (Enterprise)1,000+Varies by plan
Workers CPU timeVaries by planApplies to bot logic
Bot Analytics sampling1-10% adaptiveHigh-volume zones sampled more aggressively
Bot Analytics history30 days maxHistorical data retention limit
CSP requirements for JSDMust allow /cdn-cgi/challenge-platform/Required for JSD to function

Plan Restrictions

FeatureFreePro/BusinessEnterprise
Granular scores (1-99)NoNoYes
JA3/JA4NoNoYes
Anomaly DetectionNoNoYes
Corporate Proxy detectionNoNoYes
Verified bot categoriesLimitedLimitedFull
Custom WAF rules520/1001,000+