WAF on non-known bots trigger on a web browser GET request
While playing around with Cloudflare security rules for R2, I came across the
Known Bots flag.
I've tested this in a few angles, and it appears that doing any action against (not cf.client.bot) seems to also trigger on Firefox and Microsoft Edge.
Some questions for that:
- Are plain ol' browsers also considered bots?
- If I am using a public bucket, do I have no choice but to let bots fly so that a standard web browser can do its job? (and sacrifice free R2 ops count for this?)2 Replies
Note that just because a client is not a known bot, doesn't mean it is a bot at all. The
Known Bots flag is usually used to bypass later rules, in the event you don't want to block a search indexer(for example). You probably shouldn't be using it with a block rule.@lifehackerhansol There is a partial list of Verified bots here: https://radar.cloudflare.com/traffic/verified-bots
doing any action against (not cf.client.bot) seems to also trigger on Firefox and Microsoft Edge.Not cf.client.bot will trigger against anything which isn't on that list.
Cloudflare Radar
Up to date Internet trends and insight