[Use Cases] Solution guide: Stop malicious bots while allowing legitimate traffic#29531
[Use Cases] Solution guide: Stop malicious bots while allowing legitimate traffic#29531codyanthony850 wants to merge 5 commits intoproductionfrom
Conversation
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
| Rules that use counting expressions with response codes (such as counting only `401` and `403` responses) require a Business plan or above. On Free and Pro plans, you can create simpler rate limiting rules with IP-based counting. Refer to [Rate limiting rules](/waf/rate-limiting-rules/) for plan availability details. | ||
| ::: | ||
|
|
||
| ## Target bot patterns with WAF rules |
There was a problem hiding this comment.
Suggestion: Reduce the number of times we use WAF and call them "security rules".
| If the built-in settings do not cover your needs, create a custom rule: | ||
|
|
||
| 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and domain. | ||
| 2. Go to **Security** > **WAF** > **Custom rules**. |
There was a problem hiding this comment.
Nav depends on the dashboard nav version (old or new). We commonly use tabs for this purpose.
|
|
||
| If your bot traffic is concentrated from countries where you have no real users, you can combine geographic filters with the rules above. Add `ip.src.country` to your expression to restrict the rule to specific regions. For examples, refer to [Block traffic by geographical location](/waf/custom-rules/use-cases/block-by-geographical-location/). | ||
|
|
||
| ### Rate limit high-frequency paths |
There was a problem hiding this comment.
We have a few examples and use cases already in the rate limiting best practices page (could be useful to link there, either to specific sections or to the page).
| You reference the `cf.bot_management.score` field in WAF custom rule expressions to act on these scores. For example, to challenge likely automated traffic on your checkout page: | ||
|
|
||
| ```txt | ||
| (cf.bot_management.score lt 30 and http.request.uri.path eq "/checkout" and not cf.bot_management.verified_bot) |
There was a problem hiding this comment.
We could also provide a table as an alternative. For simple expressions like these, customers can use the expression builder instead of switching to the editor.
| Security Events displays every request that Cloudflare mitigated — blocked, challenged, or flagged. This is where you confirm your rules are working as intended. | ||
|
|
||
| 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and domain. | ||
| 2. Go to **Security** > **Events**. |
There was a problem hiding this comment.
Exact navigation depends on the dash nav version (old or new).
| 4. Check the top requested paths to find which endpoints receive the most bot traffic. Login pages, API endpoints, and checkout flows are common targets. | ||
| 5. Look for patterns before making changes. Sudden spikes in low-score traffic, specific user agents appearing at high volume, or geographic concentration of requests all indicate bot activity worth investigating. | ||
|
|
||
| :::note[Bot Analytics requires a Pro plan or above] |
There was a problem hiding this comment.
Maybe this information should appear at the beginning of the section, before users try to follow the steps?
|
|
||
| Cloudflare classifies bot traffic into categories based on bot scores and verification status. Understanding these categories helps you write rules that target the right traffic. | ||
|
|
||
| **Verified bots** are crawlers and services that Cloudflare has confirmed as legitimate. Googlebot, Bingbot, and uptime monitors fall into this category. Cloudflare maintains a [verified bot list](/bots/concepts/bot/verified-bots/policy/) with strict requirements — each bot must serve a benign purpose, respect `robots.txt`, and crawl with the consent of domain owners. Always allow verified bots through your protections. |
There was a problem hiding this comment.
I'd make this a bulleted list.
| Bot Fight Mode is available on all Cloudflare plans, including Free. | ||
|
|
||
| 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and domain. | ||
| 2. Go to **Security Settings** and filter by **Bot traffic**. |
There was a problem hiding this comment.
Should clarify where this is located, and what's the nav step for users in the old dashboard navigation.
|
This PR requires additional review attention because it affects the following areas: RedirectsThis PR changes current filenames or deletes current files. Make sure you have redirects set up to cover the following paths:
|
First solution guide for the use-cases section. Covers layered bot defense using Cloudflare tools: Bot Fight Mode, Turnstile, WAF custom rules, rate limiting, and bot score rules.
src/content/docs/use-cases/application-security/stop-malicious-bots.mdxapplication-security/category structure from Add new use cases documentation #29162Related: PCX-21341