I use Cloudflare (unpaid) for personal use. I have a domain for my homelab, and a reverse proxy to several services behind my firewall, such as Home Assistant.
For the past few weeks, I’ve been banging my head against the wall because when webhook requests from IFTTT recipes to my Home Assistant server were getting 503 denied errors, while requests from the same webhook from other sources were going through.
I thought it was something wrong with IFTTT, but then finally decided I’d better go sift through all my Cloudflare settings to make sure it wasn’t something I did there. Sure enough, I saw all the failed requests in the Security log. They’d all been blocked by Bot Fight Mode.
Now, I understand that the free version of Bot Fight Mode has to be simple, and that you want it to be secure by default. But I think it would make a lot of sense to warn people that turning it on might disrupt known/legitimate/wanted “bot” traffic.
There’s no context! Just an option that sounds good, but has effects that are not only non-obvious, but also not super easy to diagnose!
I think that under the switch to turn it on, you should say something like:
“Warning: turning on bot mode will block ALL the bots we can identify. That might mean things like Zapier or IFTTT routines, social media apps that do previews of shared links, scripts you run yourself, and other things. So think about whether you know of any automated traffic to this domain before you flip this switch.”