Super Bot Fight Mode

Super Bot Fight Mode is included in your Pro, Business, or Enterprise subscription. When enabled, the product:

Identifies traffic matching patterns of known bots
Can challenge or block bots
Offers protection for static resources
Provides limited analytics to help you understand bot traffic

Accounts with an Enterprise subscription but not the Bot Management add-on will have Super Bot Fight Mode for Business.

Considerations

Bot Fight Mode and Super Bot Fight Mode use the same underlying technology that powers our Bot Management ↗ product. Specifically, these products:

Protect entire domains without endpoint restrictions
Cannot be customized, adjusted, or reconfigured via WAF custom rules

Although these products are designed to fight malicious actors on the Internet, they may challenge API or mobile app traffic. For more granular control, upgrade to Bot Management for Enterprise.

WAF custom rules

WAF custom rules are executed before Super Bot Fight Mode.

This order has a critical impact on traffic processing. If a WAF custom rule performs a terminating action (such as Block, Managed Challenge, or JS Challenge), the request will not be processed further, and the Super Bot Fight Mode configuration will not be evaluated.

To configure exceptions to Super Bot Fight Mode, you should use the Skip action in your WAF custom rules. The Skip action allows the request to bypass the Super Bot Fight Mode phase without terminating the request, enabling it to continue through the rest of the security stack.

Enable Super Bot Fight Mode

To start using Super Bot Fight Mode:

Old dashboard
New dashboard

Log in to the Cloudflare dashboard ↗, and select your account and domain.
Go to Security > Bots.
Select Configure Super Bot Fight Mode.
Choose how your domain should respond to various types of traffic:
- For more details on verified bots, refer to Verified Bots.
- For more details on supported file types, refer to Static resource protection.
- For more details on invisible code injection, refer to JavaScript detections.

In parts of your site where you want bot traffic, you can use the Skip action in WAF custom rules to specify where Super Bot Fight Mode should not run.

You can use the Rules language and its operators and fields in custom rules to configure a scoped rule for approved automated traffic in Super Bot Fight Mode.

Disable Super Bot Fight Mode

If you find that Super Bot Fight Mode is causing problems with your application traffic, you may want to disable it.

To disable Super Bot Fight Mode:

Old dashboard
New dashboard

Log in to the Cloudflare dashboard ↗, and select your account and domain.
Go to Security > Bots.
Select Configure Super Bot Fight Mode.
For all bot groupings (Definitely automated, Verified bots, etc.), set the value to Allow.
For all other options (Static resource protection, JavaScript Detections), ensure they are off.

In parts of your site where you want bot traffic, you can use the Skip action in WAF custom rules to specify where Super Bot Fight Mode should not run.

You can use the Rules language and its operators and fields in custom rules to configure a scoped rule for approved automated traffic in Super Bot Fight Mode.

Block AI bots

Refer to Block AI bots.

Analytics

Bot Report

Use the Bot Report to monitor bot traffic for the past 24 hours.

To access the Bot Report, go to Security > Bots. If you see a double-digit percentage of automated traffic, you may want to upgrade to Bot Management to save money on origin costs and protect your domain from large-scale attacks.

Example traffic distribution as part of a bot report

Security events

You can see bot-related actions by going to Security > Events. Any requests challenged by this product will be labeled Super Bot Fight Mode in the Service field. This allows you to observe, analyze, and follow trends in your bot traffic over time.

Ruleset Engine

Super Bot Fight Mode runs during the http_request_sbfm phase of the Ruleset Engine.

Was this helpful?

Community
X
Discord
YouTube
GitHub