WAF on non-known bots trigger on a web browser GET request

While playing around with Cloudflare security rules for R2, I came across the

Known Bots

Known Bots

Known Bots

Known Bots flag.

I've tested this in a few angles, and it appears that doing any action against

(not cf.client.bot)

(not cf.client.bot)

(not cf.client.bot)

(not cf.client.bot) seems to also trigger on Firefox and Microsoft Edge.

Some questions for that:

Are plain ol' browsers also considered bots?
If I am using a public bucket, do I have no choice but to let bots fly so that a standard web browser can do its job? (and sacrifice free R2 ops count for this?)

Llifehackerhansol While playing around with Cloudflare security rules for R2, I came across the `K...

Hello, I’m Allie!•8/29/23, 8:29 AM

Note that just because a client is not a known bot, doesn't mean it is a bot at all. The

Known Bots

Known Bots

flag is usually used to bypass later rules, in the event you don't want to block a search indexer(for example). You probably shouldn't be using it with a block rule.

High Flying Dwarf•8/29/23, 7:22 PM

@lifehackerhansol There is a partial list of Verified bots here: https://radar.cloudflare.com/traffic/verified-bots

doing any action against (not cf.client.bot) seems to also trigger on Firefox and Microsoft Edge.

Not cf.client.bot will trigger against anything which isn't on that list.

Cloudflare Radar

Up to date Internet trends and insight

WAF on non-known bots trigger on a web browser GET request

Similar Threads

Similar Threads

Similar Threads