Incorrect, there’s an option in free version of Bot Fight Mode to configure it and to allow verified bots.
I’m seeing the same issue and yes, something has changed. I’ve submitted a support ticket.
Yesterday we noticed that incoming webhooks to our SaaS were being blocked and wrongly being detected as ‘definite bots’. These webhooks have worked for years, sender IP or payload has never changed.
Today, some customers are telling us that they cannot get past the ‘Verifying you are human’ challenge. When I checked the ray id it was again detected by ‘Bot Fight Mode for Definite Bots’ and detected as a bot. This is a really bad false positive because it’s an actual person clicking a link to access a page on our site. It’s not an isolated case either, other customers reported the same.
For the webhooks I could get around this by allowlisting the IPs but for real humans I need to turn bot fight mode off.
I’m feeling that the standards at Cloudflare are slipping and this is a shame because I rated them very highly. However during the last year we have been encountering more and more issues like this one which impact our business and which ultimately were entirely caused by Cloudflare themselves and not by external factors or configuration issues on our end.
And for good measure, and I will say this as many times as necessary, closing topics after 2 days is most insane support policy I’ve ever come across. It makes it impossible to add information once an issue has been resolved (and how often does that happen within 2 days?) and shuts down any follow-up questions that arise later.
Most folks just post a new topic and if it’s mergable, we do.
When topics are left open for long periods of time (we’ve tested a number of options over the years) we see a lot of resurrection of topics with spam, a lot of me too comments when the reality is it’s a different issue, and it confuses the topic. We did a sample of 5 topics where every mod, admin & leader here was certain they had the same root cause. In reality, there were 10 different causes. We recognize that is not always the case. This is especially true for incident related issues where we encourage and curate “jumping on” another thread in order to gauge magnitude and communicate updates (callout for Cloudflare Status, a good category to watch for incident updates).
Thanks for the explanation but please consider that this is not how community forums work. It’s possible that Cloudflare has got this wrong.
Moreover, 2 days isn’t even enough to get from Friday to Monday.
Anyways, no reply to my ticket as of yet and these obvious false positives in bot fight mode are really causing us headaches.
I wii flag 01223129 for my colleagues in Support
Good news
Good news for you if yours is a verified bot.
In our cases, both legitimate human access as well as webhook traffic was being classified as ‘definitive bot’ and blocked. Related issues maybe, but I don’t think the verified bots issue will help us.
Suggestion from Cloudflare was to turn bot fighting mode off… Guess that’s equivalent to opening your back door to a burglar because the front door lock is broken.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.