← Back to posts
Cloudflare

Cloudflare Advanced Bot Protection: Separating Humans from Automated Threats

By Travis · · 4 min read
#cloudflare#bot-protection#security#automation#scraping

What Is Advanced Bot Protection?

Cloudflare’s Advanced Bot Protection is a machine learning-driven system that classifies every request hitting your application as human, legitimate bot, or malicious bot — and lets you take automated action based on that classification.

Unlike simple bot detection based on user-agent strings or IP reputation (both trivially bypassed), Advanced Bot Protection analyzes behavioral signals, browser fingerprinting, JavaScript execution patterns, and Cloudflare’s global threat intelligence to make high-confidence decisions about request legitimacy.

The Bot Problem in Context

Not all bots are bad. Search engine crawlers, uptime monitors, payment processors, and feed aggregators are all automated traffic you want to allow. The problem is the other kind:

  • Credential stuffing — automated login attempts using breach data
  • Card testing — testing stolen card numbers against checkout flows
  • Inventory hoarding — bots buying limited stock before humans can
  • Price scraping — competitors harvesting your pricing data continuously
  • Content scraping — bulk extraction of your content for republishing
  • Account creation abuse — mass fake account creation for spam or fraud
  • API abuse — automated exploitation of your APIs beyond intended use

Advanced Bot Protection addresses all of these with one coherent system rather than requiring separate point solutions.

How It Classifies Traffic

Cloudflare assigns every request a Bot Score from 1–99:

Score RangeClassificationTypical Action
1–29Almost certainly a botBlock or challenge
30–49Likely automatedChallenge
50–69UncertainLog and monitor
70–99Almost certainly humanAllow

The score is derived from multiple signals:

Machine learning models trained on Cloudflare’s global traffic — billions of requests per day across millions of properties. Patterns that correlate with malicious automation are learned at scale.

Browser fingerprinting — legitimate browsers produce consistent, expected fingerprints. Bots using headless browsers, Puppeteer, Playwright, or custom HTTP clients produce fingerprints that deviate from real browsers in detectable ways.

Behavioral analysis — how a session navigates your site, mouse movement patterns, timing between requests, and interaction patterns that distinguish humans from scripts.

Verified Bot List — Cloudflare maintains a list of known legitimate bots (Googlebot, Bingbot, payment processors, monitoring services) verified via reverse DNS and ASN. These are automatically classified as legitimate and excluded from bot scoring.

Key Capabilities

Bot Score field in firewall rules — use cf.bot_management.score in custom rules to take action based on bot confidence.

Verified Bots bypass — allow known good bots automatically without false positives.

JavaScript detections — serve a lightweight JS challenge to suspicious requests to verify browser authenticity.

Invisible CAPTCHA — serve Cloudflare’s Turnstile (privacy-preserving, no image puzzles) for uncertain traffic without ruining UX.

Anomaly detection — flag sessions behaving unusually compared to baseline patterns for your specific application.

Mobile SDK — for native mobile apps, Cloudflare’s SDK provides device attestation signals to detect bot traffic in mobile API traffic where there’s no browser to fingerprint.

Best Practices

Use Bot Score in Layered Rules, Not a Single Threshold

A single “block score < 30” rule is too blunt. Build a graduated response:

cf.bot_management.score lt 10  → Block
cf.bot_management.score lt 30  → Managed Challenge (JS/Turnstile)
cf.bot_management.score lt 50  → Log + Monitor
cf.bot_management.verified_bot → Allow (bypass other rules)

Always Whitelist Verified Bots

Before deploying any bot blocking rule, ensure your ruleset explicitly allows cf.bot_management.verified_bot == true. This protects Googlebot, monitoring services, payment providers, and other critical automated traffic from being caught by bot score thresholds.

Protect High-Value Endpoints Specifically

Don’t apply bot protection uniformly across your entire site — prioritize your highest-value targets:

  • /login — credential stuffing
  • /register — fake account creation
  • /checkout — card testing and inventory abuse
  • /api/* — API scraping and abuse
  • /pricing — competitor price scraping

Apply stricter thresholds on these paths and more relaxed rules on public content pages.

Use Turnstile Instead of CAPTCHA for Challenges

Cloudflare Turnstile is their CAPTCHA replacement — it verifies humans without showing image puzzles, using non-intrusive browser challenges instead. It’s more effective against modern bots that use CAPTCHA-solving services and far less frustrating for real users. For the challenge action, always prefer Managed Challenge (Turnstile) over legacy CAPTCHA.

Monitor Bot Score Distribution Before Enforcing

Before blocking, spend a week logging bot scores across your traffic. Review the distribution:

  • What percentage of traffic scores below 30?
  • Are any critical integrations scoring low (payment webhooks, monitoring, CI/CD)?
  • What does your login endpoint’s score distribution look like vs. your homepage?

This baseline prevents you from blocking legitimate traffic when you switch to enforcement mode.

Protect API Endpoints with Header-Based Verification

For machine-to-machine API traffic from your own systems, add a shared secret header that your legitimate callers include. Create a WAF rule that allows traffic with the correct header regardless of bot score — this prevents your own automation from being challenged.

# Allow your own API clients regardless of bot score
http.request.headers["x-api-client-token"] eq "your-secret-token"

Correlate Bot Blocks with Business Metrics

The real value of bot protection shows up in business data, not just security dashboards. Track:

  • Login success rate (credential stuffing shows up as unusual failure rates)
  • Cart abandonment patterns (inventory hoarding bots inflate and then abandon carts)
  • Account creation volume vs. genuine activation rate
  • API call volume by endpoint

An unexplained spike in login failures is often credential stuffing. A bot block surge correlating with that spike confirms it. Having these metrics connected makes the value of bot protection tangible.

Re-evaluate Thresholds After Major Events

After a product launch, major sale, or public announcement, your traffic profile changes significantly. Bot activity often spikes around these events as scrapers and scalpers target new inventory or content. Review your bot score distribution in the days following major events and adjust rules if needed.

// Found this useful? Share it or start a conversation.
Y Hacker News 𝕏 X in LinkedIn 🦋 Bluesky r/ Reddit
// Related More on similar topics.
Cloudflare May 12, 2026

Cloudflare WAF Walkthrough: Monitor First, Block Later, Skip OWASP

A practical, opinionated walkthrough for rolling out Cloudflare's Web Application Firewall on a real domain — start in monitor mode, layer in protections, set up alerting on spikes, and why OWASP Core Ruleset is usually a mistake.
Cloudflare May 9, 2026

Stand Up a Site with Cloudflare, GitHub, and Claude — Hands-Off After Setup

How to wire up a new site on Cloudflare with Git-triggered auto-deploys, then hand Claude a scoped GitHub token so AI-assisted edits flow from a chat conversation straight to production — without ever opening a terminal.
Cloudflare May 15, 2025

Implementing DNSSEC in Cloudflare: Parent Zones, Child Zones, and Getting the Order Right

A step-by-step guide to enabling DNSSEC on parent and child domains in Cloudflare — why order matters, how DS records connect the chain of trust, and why using Cloudflare as both your registrar and DNS provider makes this dramatically easier.