Bot Fight Mode
Bot Fight Mode is a simple, free product that helps detect and mitigate bot traffic on your domain. When enabled, the product:
- Identifies traffic matching patterns of known bots
- Issues computationally expensive challenges in response to these bots
- Notifies Bandwidth Alliance ↗ partners (if applicable) to disable bots
Bot Fight Mode and Super Bot Fight Mode use the same underlying technology that powers our Bot Management ↗ product. Specifically, these products:
- Protect entire domains without endpoint restrictions
- Cannot be customized, adjusted, or reconfigured via WAF custom rules
Although these products are designed to fight malicious actors on the Internet, they may challenge API or mobile app traffic. For more granular control, upgrade to Bot Management for Enterprise.
To start using Bot Fight Mode:
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > Bots.
- For Bot Fight Mode, select On.
-
In the Cloudflare dashboard, go to the Security Settings page.
Go to Settings -
Filter by Bot traffic.
-
Go to Bot Fight Mode.
-
Turn Bot Fight Mode on.
If you find that Bot Fight Mode is causing problems with your application traffic, you may want to disable it.
To disable Bot Fight Mode:
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > Bots.
- For Bot Fight Mode, select Off.
-
In the Cloudflare dashboard, go to the Security Settings page.
Go to Settings -
Filter by Bot traffic.
-
Go to Bot Fight Mode.
-
Turn Bot Fight Mode off.
Refer to Block AI bots.
You can see bot-related actions by going to Security > Events. Any requests challenged by this product will be labeled Bot Fight Mode in the Service field. This allows you to observe, analyze, and follow trends in your bot traffic over time.
You cannot bypass or skip Bot Fight Mode using the Skip action in WAF custom rules or using Page Rules. Skip, Bypass, and Allow actions apply to rules or rulesets running on the Ruleset Engine. While Super Bot Fight Mode rules are implemented in the Ruleset Engine, Bot Fight Mode checks are not. This is why you can skip Super Bot Fight Mode, but not Bot Fight Mode. If you need to skip Bot Fight Mode, consider using Super Bot Fight Mode.
Bot Fight Mode can still trigger if you have IP Access rules, but it cannot trigger if an IP Access rule matches the request. For example, the IP Access rule matches the connecting IP.
For Bot Fight Mode customers, JavaScript Detections is automatically enabled and cannot be disabled.
If you have a Content Security Policy (CSP), you need to take additional steps to implement JavaScript Detections:
- Ensure that anything under
/cdn-cgi/challenge-platform/is allowed. Your CSP should allow scripts served from your origin domain (script-src self). - For
noncescript tags:-
If your CSP uses a
noncefor script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header. -
If your CSP does not use
noncefor script tags and JavaScript Detections is enabled, you may see a console error such asRefused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-b123b8a70+4jEj+d6gWI9U6IilUJIrlnRJbRR/uQl2Jc='), or a nonce ('nonce-...') is required to enable inline execution.We highly discourage the use ofunsafe-inlineand instead recommend the use CSPnoncesin script tags which we parse and support in our CDN.
-
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
