WAF on non-known bots trigger on a web browser GET request
While playing around with Cloudflare security rules for R2, I came across the
I've tested this in a few angles, and it appears that doing any action against
Some questions for that:
- Are plain ol' browsers also considered bots?
- If I am using a public bucket, do I have no choice but to let bots fly so that a standard web browser can do its job? (and sacrifice free R2 ops count for this?)
Known BotsI've tested this in a few angles, and it appears that doing any action against
(not cf.client.bot)Some questions for that:
- Are plain ol' browsers also considered bots?
- If I am using a public bucket, do I have no choice but to let bots fly so that a standard web browser can do its job? (and sacrifice free R2 ops count for this?)
