Bot Fight Mode — Bot Detection and Mitigation
In this tutorial, you'll learn about Bot Fight Mode. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloudflare Bot Fight Mode uses a combination of JavaScript challenges, Rate Limiting, and Machine Learning to detect and block automated bot traffic while letting legitimate users through without friction.
What You Will Learn
You will learn how Bot Fight Mode differs from simple User Agent blocking, how to enable and tune it, and how to combine it with WAF rules and Rate Limiting for comprehensive bot management.
Why It Matters
Malicious bots consume bandwidth, skew analytics, perform credential stuffing, and scrape content. Bot Fight Mode stops the majority of automated threats at the edge without requiring complex rule configuration.
Real-World Use Case
An online ticket marketplace was losing inventory to scalper bots that purchased tickets within seconds of release. Enabling Bot Fight Mode with JavaScript challenges added a 5-second delay to automated purchases while real users completed the challenge seamlessly, reducing scalper success by 85%.
How Bot Fight Mode Works
When enabled, Cloudflare presents a JavaScript challenge to requests it suspects are automated. Browsers execute the JS and pass automatically. Script-based bots that cannot execute JS receive a 403 or are delayed until they timeout.
flowchart LR
A[Visitor Request] --> B{Bot Score Check}
B -->|High Score > 30| C[JS Challenge]
B -->|Low Score < 30| D[Pass to Origin]
B -->|Known Bad IP| E[Block]
C --> F{JS Executed?}
F -->|Yes| D
F -->|No / Timeout| E
Enabling Bot Fight Mode
- Go to Security > Bots in your Cloudflare dashboard.
- Toggle Bot Fight Mode to On.
- Optionally configure Bot Score monitoring under Analytics.
- Review blocked traffic after 24 hours to validate.
Bot scores range from 1 (definitely human) to 99 (definitely automated). You can create custom WAF rules that use the cf.bot_management.score field to take different actions based on the score.
API: Query Bot Analytics
curl -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/bot_management" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json"
Expected output:
{
"result": {
"enable_js": true,
"fight_mode": true,
"using_latest_model": true
},
"success": true
}
Python: Monitor Bot Scores in Real Time
import os
import requests
import time
ZONE_ID = os.environ["CLOUDFLARE_ZONE_ID"]
TOKEN = os.environ["CLOUDFLARE_API_TOKEN"]
URL = f"https://api.cloudflare.com/client/v4/zones/{ZONE_ID}/analytics/dashboard"
headers = {"Authorization": f"Bearer {TOKEN}", "Content-Type": "application/json"}
while True:
resp = requests.get(URL, headers=headers)
data = resp.json()
totals = data["result"]["totals"]
bot_req = totals.get("bot", {}).get("total", 0)
total_req = totals.get("all", {}).get("total", 1)
pct = (bot_req / total_req) * 100
print(f"Bot traffic: {bot_req}/{total_req} ({pct:.1f}%)")
time.sleep(60)
Expected output:
Bot traffic: 1542/12000 (12.9%)
Bot traffic: 1588/12100 (13.1%)
Node.js: Create WAF Rule Using Bot Score
const fetch = require("node-fetch");
const ZONE_ID = process.env.CLOUDFLARE_ZONE_ID;
const TOKEN = process.env.CLOUDFLARE_API_TOKEN;
async function createBotScoreRule() {
const payload = {
action: "challenge",
expression: '(cf.bot_management.score gt 30)',
description: "Challenge traffic with bot score above 30"
};
const resp = await fetch(
`https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/firewall/rules`,
{
method: "POST",
headers: {
Authorization: `Bearer ${TOKEN}`,
"Content-Type": "application/json",
},
body: JSON.stringify(payload),
}
);
const data = await resp.json();
console.log("Rule created:", data.result.id);
}
createBotScoreRule();
Expected output:
Rule created: 8a7b6c5d4e3f2a1b0c9d8e7f
Common Mistakes
| Mistake | Consequence |
|---|---|
| Enabling without testing on staging | Blocks legitimate API clients |
| Not configuring trusted IPs | Blocks your own monitoring tools |
| Using only Bot Fight Mode | Advanced bots bypass JS challenges |
| Ignoring the bot score analytics | No visibility into false positives |
| Not combining with Rate Limiting | Persistent bots retry slowly |
Practice Questions
- What is the bot score range and what does each end represent?
- How does Bot Fight Mode differentiate between human and automated traffic?
- What action should you take for requests with a bot score of 70-90?
Challenge
Build a monitoring dashboard using Python and the Cloudflare Analytics API that displays bot traffic percentages over the last 24 hours, grouped by hour. Include a threshold alert that fires when bot traffic exceeds 20%.
Real-World Task
Your SaaS platform is experiencing credential stuffing attacks. Enable Bot Fight Mode and create a WAF rule that challenges any login request with a bot score above 40. Test with a headless browser and a real browser to confirm the behaviour differs.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro