How do you tell a real customer from an automated attacker pretending to be one?
Modern bots are sophisticated. They run real browsers via headless Chromium, rotate residential IPs, solve CAPTCHAs with cheap human labor or ML, and mimic human mouse movement. Block too aggressively and you lose conversions. Block too leniently and bots steal inventory (sneakers, concert tickets), stuff credentials, scrape pricing, or DDoS your login endpoint. Meanwhile, your origin pays for every request — bot or not.
How it fits together

How Cloudflare solves it
- Machine-learning bot scores. Every request gets a score from 1 (definitely bot) to 99 (definitely human). The model is trained on traffic from millions of sites globally — Cloudflare sees roughly 20% of the entire web.
- Behavioral & JA3/JA4 fingerprinting. Beyond IP and user-agent, Cloudflare evaluates TLS fingerprints, HTTP/2 frame ordering, and behavioral signals (mouse, scroll, timing) when JS detections fire. Bots that perfectly mimic Chrome still fail these checks.
- Verified bots are first-class citizens. Cloudflare maintains a list of good bots (Googlebot, Bingbot, monitoring tools, RSS readers). They're allowed by default and tagged separately, so you can write rules like 'block all bots except verified ones.'
- Rate limiting on any signal. Limit by IP, by cookie, by JA3, by header, by URL pattern. Use sliding windows, configurable thresholds, and action gradients (challenge → JS challenge → block). Stop credential stuffing without locking out real users.
- Surgical actions. Block, JS-challenge, managed challenge (Turnstile), rate-limit, log, or skip — picked per rule. Combine with WAF rules for layered defense (e.g. 'rate-limit logins to 5/min AND challenge on bot score < 30').
Common questions
Will this affect good bots like Googlebot or Bingbot?
cf.client.bot. Default rules let verified bots through; you write your blocks to apply only to cf.bot_management.score < 30 AND NOT cf.client.bot. Search engines, RSS aggregators, and monitoring services keep working.How is bot management different from rate limiting?
What if my real users score low?
Does this also stop the AI scrapers training on my content?
Try it live
Your current request's bot management score is shown below (injected by the site middleware). Hit the rate-limit endpoint repeatedly to trigger a 429.
Your current bot management score
Read from the _cfbm cookie
set by Cloudflare on each request to this site. 1 = definitely bot,
99 = definitely human. The site middleware injects this so we can show it on the page.
Bot Score
Verified Bot
Verified bots (Googlebot, Bingbot, monitoring tools) are explicitly allowed by default.
Rate limiting test
Hit the rate-limit endpoint as fast as you can. A rate-limit rule
configured on
/api/rate-limit-test
will return 429 once you cross the threshold.