Browser Integrity Check — Block Malicious Browsers
Cloudflare Browser Integrity Check evaluates every request against known browser behaviour patterns, blocking traffic from compromised or headless clients that fail to send valid browser headers.
What You Will Learn
You will learn how Browser Integrity Check identifies non-browser clients, how to configure it alongside WAF rules, and how to exclude specific paths for API clients that need raw HTTP access.
Why It Matters
Headless browsers, scraper frameworks, and compromised machines often omit or send invalid HTTP headers. Browser Integrity Check catches these at the edge with zero configuration beyond toggling the feature on.
Real-World Use Case
A news publication was being scraped by a headless Chrome instance running on AWS. Enabling Browser Integrity Check blocked the scraper because the request headers did not match expected browser fingerprint patterns, while legitimate readers on desktop and mobile continued unaffected.
How Browser Integrity Check Works
Cloudflare checks that incoming requests contain expected browser headers (Accept, Accept-Encoding, Accept-Language, User-Agent) in the correct order and format. Clients that deviate from standard browser patterns receive a 403 response.
flowchart LR
A[Incoming Request] --> B{Parse HTTP Headers}
B -->|Missing/Invalid Headers| C[Block 403]
B -->|Valid Browser Headers| D{Additional Checks}
D -->|Normal Browser| E[Pass to Origin]
D -->|Suspicious Fingerprint| C
Enabling Browser Integrity Check
- Go to Security > Settings in your Cloudflare dashboard.
- Locate Browser Integrity Check.
- Toggle the switch to On.
- Test by visiting your site from a regular browser and from curl.
A curl request to a site with Browser Integrity Check enabled:
curl -I https://example.com/
Expected output:
HTTP/2 403
server: cloudflare
cf-ray: 123abc
A browser request succeeds normally and returns 200.
API: Enable and Query Status
# Check current status
curl -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/settings/browser_check" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
# Enable the feature
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/ZONE_ID/settings/browser_check" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value": "on"}'
Expected output for PATCH:
{
"result": {
"id": "browser_check",
"value": "on",
"modified_on": "2026-06-23T10:00:00Z"
},
"success": true
}
Python: Test Browser Integrity with Requests
import requests
# Without browser headers — should be blocked
url = "https://example.com/"
resp = requests.get(url)
print(f"No headers: {resp.status_code}")
# With browser headers — should pass
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
}
resp2 = requests.get(url, headers=headers)
print(f"Browser headers: {resp2.status_code}")
Expected output:
No headers: 403
Browser headers: 200
Excluding API Paths with WAF Skip Rules
When Browser Integrity Check blocks legitimate API clients, create a skip rule:
curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/firewall/rules" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"action": "skip",
"action_parameters": {
"rulesets": ["browser_integrity_check"]
},
"expression": "starts_with(http.request.uri.path, \"/api/\")",
"description": "Skip browser integrity check for API paths"
}'
Expected output:
{
"result": {"id": "rule_id", "action": "skip"},
"success": true
}
Common Mistakes
| Mistake | Consequence |
|---|---|
| Enabling without API exceptions | All API clients blocked (403) |
| Not testing with monitoring tools | Your uptime checker gets blocked |
| Confusing with Bot Fight Mode | Different features — both may be needed |
| Leaving disabled on login pages | Brute force tools bypass check |
| Not monitoring Security Events | No visibility into false positives |
Practice Questions
- What HTTP header combinations does Browser Integrity Check validate?
- How do you exclude your API paths from Browser Integrity Check?
- Why does a simple curl request get blocked when Browser Integrity Check is on?
Challenge
Write a script that sends requests with progressively more complete browser headers, recording at what point Browser Integrity Check allows the request through. Document the minimum required header set for Python and Node.js clients.
Real-World Task
Your mobile app communicates with a backend API at /api/v2/*. Browser Integrity Check is blocking all app traffic. Create a WAF skip rule that disables the check for API paths while keeping it active for all web pages. Verify with curl tests.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro