Skip to content

Browser Integrity Check — Block Malicious Browsers

DodaTech 4 min read

Cloudflare Browser Integrity Check evaluates every request against known browser behaviour patterns, blocking traffic from compromised or headless clients that fail to send valid browser headers.

What You Will Learn

You will learn how Browser Integrity Check identifies non-browser clients, how to configure it alongside WAF rules, and how to exclude specific paths for API clients that need raw HTTP access.

Why It Matters

Headless browsers, scraper frameworks, and compromised machines often omit or send invalid HTTP headers. Browser Integrity Check catches these at the edge with zero configuration beyond toggling the feature on.

Real-World Use Case

A news publication was being scraped by a headless Chrome instance running on AWS. Enabling Browser Integrity Check blocked the scraper because the request headers did not match expected browser fingerprint patterns, while legitimate readers on desktop and mobile continued unaffected.

How Browser Integrity Check Works

Cloudflare checks that incoming requests contain expected browser headers (Accept, Accept-Encoding, Accept-Language, User-Agent) in the correct order and format. Clients that deviate from standard browser patterns receive a 403 response.

flowchart LR
  A[Incoming Request] --> B{Parse HTTP Headers}
  B -->|Missing/Invalid Headers| C[Block 403]
  B -->|Valid Browser Headers| D{Additional Checks}
  D -->|Normal Browser| E[Pass to Origin]
  D -->|Suspicious Fingerprint| C

Enabling Browser Integrity Check

  1. Go to Security > Settings in your Cloudflare dashboard.
  2. Locate Browser Integrity Check.
  3. Toggle the switch to On.
  4. Test by visiting your site from a regular browser and from curl.

A curl request to a site with Browser Integrity Check enabled:

curl -I https://example.com/

Expected output:

HTTP/2 403
server: cloudflare
cf-ray: 123abc

A browser request succeeds normally and returns 200.

API: Enable and Query Status

# Check current status
curl -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/settings/browser_check" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

# Enable the feature
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/ZONE_ID/settings/browser_check" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"value": "on"}'

Expected output for PATCH:

{
  "result": {
    "id": "browser_check",
    "value": "on",
    "modified_on": "2026-06-23T10:00:00Z"
  },
  "success": true
}

Python: Test Browser Integrity with Requests

import requests

# Without browser headers — should be blocked
url = "https://example.com/"
resp = requests.get(url)
print(f"No headers: {resp.status_code}")

# With browser headers — should pass
headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate, br",
}
resp2 = requests.get(url, headers=headers)
print(f"Browser headers: {resp2.status_code}")

Expected output:

No headers: 403
Browser headers: 200

Excluding API Paths with WAF Skip Rules

When Browser Integrity Check blocks legitimate API clients, create a skip rule:

curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/firewall/rules" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "action": "skip",
    "action_parameters": {
      "rulesets": ["browser_integrity_check"]
    },
    "expression": "starts_with(http.request.uri.path, \"/api/\")",
    "description": "Skip browser integrity check for API paths"
  }'

Expected output:

{
  "result": {"id": "rule_id", "action": "skip"},
  "success": true
}

Common Mistakes

Mistake Consequence
Enabling without API exceptions All API clients blocked (403)
Not testing with monitoring tools Your uptime checker gets blocked
Confusing with Bot Fight Mode Different features — both may be needed
Leaving disabled on login pages Brute force tools bypass check
Not monitoring Security Events No visibility into false positives

Practice Questions

  1. What HTTP header combinations does Browser Integrity Check validate?
  2. How do you exclude your API paths from Browser Integrity Check?
  3. Why does a simple curl request get blocked when Browser Integrity Check is on?

Challenge

Write a script that sends requests with progressively more complete browser headers, recording at what point Browser Integrity Check allows the request through. Document the minimum required header set for Python and Node.js clients.

Real-World Task

Your mobile app communicates with a backend API at /api/v2/*. Browser Integrity Check is blocking all app traffic. Create a WAF skip rule that disables the check for API paths while keeping it active for all web pages. Verify with curl tests.

FAQ

Does Browser Integrity Check use JavaScript?

No. Browser Integrity Check is purely header-based. It does not execute JavaScript or present challenges. It inspects the HTTP headers that every browser naturally sends and compares them against known valid patterns. This makes it faster than JS-based bot detection.

Can Browser Integrity Check block mobile app traffic?

Yes — mobile apps using custom HTTP libraries often send minimal headers. You need to either add proper browser-like headers to your app's HTTP client, or create a WAF skip rule to exclude your API paths from the check.

What is the difference between Browser Integrity Check and Security Level?

Browser Integrity Check blocks based on header validity — whether the client presents valid browser headers at all. Security Level challenges based on IP reputation — whether the client's IP is known for bad behaviour. They work independently and complement each other.


Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro