Skip to content

Bot Fight Mode — Bot Detection and Mitigation

DodaTech 4 min read

In this tutorial, you'll learn about Bot Fight Mode. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloudflare Bot Fight Mode uses a combination of JavaScript challenges, Rate Limiting, and Machine Learning to detect and block automated bot traffic while letting legitimate users through without friction.

What You Will Learn

You will learn how Bot Fight Mode differs from simple User Agent blocking, how to enable and tune it, and how to combine it with WAF rules and Rate Limiting for comprehensive bot management.

Why It Matters

Malicious bots consume bandwidth, skew analytics, perform credential stuffing, and scrape content. Bot Fight Mode stops the majority of automated threats at the edge without requiring complex rule configuration.

Real-World Use Case

An online ticket marketplace was losing inventory to scalper bots that purchased tickets within seconds of release. Enabling Bot Fight Mode with JavaScript challenges added a 5-second delay to automated purchases while real users completed the challenge seamlessly, reducing scalper success by 85%.

How Bot Fight Mode Works

When enabled, Cloudflare presents a JavaScript challenge to requests it suspects are automated. Browsers execute the JS and pass automatically. Script-based bots that cannot execute JS receive a 403 or are delayed until they timeout.

flowchart LR
  A[Visitor Request] --> B{Bot Score Check}
  B -->|High Score > 30| C[JS Challenge]
  B -->|Low Score < 30| D[Pass to Origin]
  B -->|Known Bad IP| E[Block]
  C --> F{JS Executed?}
  F -->|Yes| D
  F -->|No / Timeout| E

Enabling Bot Fight Mode

  1. Go to Security > Bots in your Cloudflare dashboard.
  2. Toggle Bot Fight Mode to On.
  3. Optionally configure Bot Score monitoring under Analytics.
  4. Review blocked traffic after 24 hours to validate.

Bot scores range from 1 (definitely human) to 99 (definitely automated). You can create custom WAF rules that use the cf.bot_management.score field to take different actions based on the score.

API: Query Bot Analytics

curl -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/bot_management" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json"

Expected output:

{
  "result": {
    "enable_js": true,
    "fight_mode": true,
    "using_latest_model": true
  },
  "success": true
}

Python: Monitor Bot Scores in Real Time

import os
import requests
import time

ZONE_ID = os.environ["CLOUDFLARE_ZONE_ID"]
TOKEN = os.environ["CLOUDFLARE_API_TOKEN"]
URL = f"https://api.cloudflare.com/client/v4/zones/{ZONE_ID}/analytics/dashboard"

headers = {"Authorization": f"Bearer {TOKEN}", "Content-Type": "application/json"}

while True:
    resp = requests.get(URL, headers=headers)
    data = resp.json()
    totals = data["result"]["totals"]
    bot_req = totals.get("bot", {}).get("total", 0)
    total_req = totals.get("all", {}).get("total", 1)
    pct = (bot_req / total_req) * 100
    print(f"Bot traffic: {bot_req}/{total_req} ({pct:.1f}%)")
    time.sleep(60)

Expected output:

Bot traffic: 1542/12000 (12.9%)
Bot traffic: 1588/12100 (13.1%)

Node.js: Create WAF Rule Using Bot Score

const fetch = require("node-fetch");

const ZONE_ID = process.env.CLOUDFLARE_ZONE_ID;
const TOKEN = process.env.CLOUDFLARE_API_TOKEN;

async function createBotScoreRule() {
  const payload = {
    action: "challenge",
    expression: '(cf.bot_management.score gt 30)',
    description: "Challenge traffic with bot score above 30"
  };

  const resp = await fetch(
    `https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/firewall/rules`,
    {
      method: "POST",
      headers: {
        Authorization: `Bearer ${TOKEN}`,
        "Content-Type": "application/json",
      },
      body: JSON.stringify(payload),
    }
  );

  const data = await resp.json();
  console.log("Rule created:", data.result.id);
}

createBotScoreRule();

Expected output:

Rule created: 8a7b6c5d4e3f2a1b0c9d8e7f

Common Mistakes

Mistake Consequence
Enabling without testing on staging Blocks legitimate API clients
Not configuring trusted IPs Blocks your own monitoring tools
Using only Bot Fight Mode Advanced bots bypass JS challenges
Ignoring the bot score analytics No visibility into false positives
Not combining with Rate Limiting Persistent bots retry slowly

Practice Questions

  1. What is the bot score range and what does each end represent?
  2. How does Bot Fight Mode differentiate between human and automated traffic?
  3. What action should you take for requests with a bot score of 70-90?

Challenge

Build a monitoring dashboard using Python and the Cloudflare Analytics API that displays bot traffic percentages over the last 24 hours, grouped by hour. Include a threshold alert that fires when bot traffic exceeds 20%.

Real-World Task

Your SaaS platform is experiencing credential stuffing attacks. Enable Bot Fight Mode and create a WAF rule that challenges any login request with a bot score above 40. Test with a headless browser and a real browser to confirm the behaviour differs.

FAQ

Does Bot Fight Mode work with single-page applications?

Yes. Bot Fight Mode uses a lightweight JS challenge that works with modern SPA frameworks like React and Vue. The challenge executes before the application loads and does not interfere with client-side routing or state management.

Can I whitelist specific bots like Googlebot?

Cloudflare automatically whitelists verified search engine crawlers. Bot Fight Mode recognises Googlebot, Bingbot, and other legitimate crawlers by their IPs and User-Agent patterns, so they pass without challenge. You can also add custom trusted IPs in the Bots settings.

What happens to API traffic when Bot Fight Mode is on?

API requests that do not include a browser User-Agent are likely to receive challenges. For API endpoints, either disable Bot Fight Mode for specific paths using a WAF skip rule or ensure your API clients can handle Cloudflare JS challenges by using the appropriate SDK.


Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro