Cloudflare Demo Shop

Bot Management & Rate Limiting

Distinguish real users from scrapers, credential stuffers, and inventory hoarders with machine-learning bot scores — then rate-limit, challenge, or block based on policy.

How do you tell a real customer from an automated attacker pretending to be one?

Modern bots are sophisticated. They run real browsers via headless Chromium, rotate residential IPs, solve CAPTCHAs with cheap human labor or ML, and mimic human mouse movement. Block too aggressively and you lose conversions. Block too leniently and bots steal inventory (sneakers, concert tickets), stuff credentials, scrape pricing, or DDoS your login endpoint. Meanwhile, your origin pays for every request — bot or not.

How it fits together

Bot management decision flow
Every request gets a 1–99 bot score; policies decide what to do with each band.

How Cloudflare solves it

Common questions

Will this affect good bots like Googlebot or Bingbot?
No. Cloudflare maintains a curated list of verified bots, and they're tagged with cf.client.bot. Default rules let verified bots through; you write your blocks to apply only to cf.bot_management.score < 30 AND NOT cf.client.bot. Search engines, RSS aggregators, and monitoring services keep working.
How is bot management different from rate limiting?
Bot management classifies *what* the requester is. Rate limiting controls *how often* anyone can do something. They're complementary — you typically use bot management to challenge or block obvious bots, and rate limiting to catch credential-stuffing or scraping attempts that slip through with low-volume distributed requests.
What if my real users score low?
It happens — privacy-focused browsers, ad blockers, or unusual networks can produce lower scores. Best practice is to start in log mode, examine the score distribution for your real traffic, and tune thresholds. Most customers find <30 is a safe 'definitely bot' band.
Does this also stop the AI scrapers training on my content?
Yes. Cloudflare ships a one-click 'Block AI Scrapers' rule that uses bot scores, JA fingerprints, and a curated list of AI crawler identifiers (GPTBot, ClaudeBot, PerplexityBot, etc.) — and ML detection for the ones lying about who they are.

Try it live

Your current request's bot management score is shown below (injected by the site middleware). Hit the rate-limit endpoint repeatedly to trigger a 429.

Your current bot management score

Read from the _cfbm cookie set by Cloudflare on each request to this site. 1 = definitely bot, 99 = definitely human. The site middleware injects this so we can show it on the page.

Bot Score

Verified Bot

Verified bots (Googlebot, Bingbot, monitoring tools) are explicitly allowed by default.

Rate limiting test

Hit the rate-limit endpoint as fast as you can. A rate-limit rule configured on /api/rate-limit-test will return 429 once you cross the threshold.

Firing...
Sent
200 OK
429 / 503

Docs & blogs

← Back to all solutions