Cf.threat_score between 1 and 10

We have a Firewall Rule that will block requests when the cf.threat_score exceeds 10.
Does anyone have good experience using a lower value than 10?

My personal opinion is that we should reserve the action Block for behavior-based rules, such as rules intended to block requests of URLs considered malicious, such as the many /login/, /admin/ etc, in paths where such URLs are not expected. And use Challenge for identity-based rules, such as rules based on country, IP, ASN, User Agent etc.

cf.threat_score is calculated on the fly based on recent data about IP addresses. Most people navigate on the internet with dynamic IP addresses assigned to them by their ISP. If you block based on threat score, you may be blocking many legit visitors who happen to have been assigned an IP that was recently abused by someone else. I’d instead use Challenge.

As for your specific question relating to threat < 10, you can always test it in in one specific area of your website, see how it goes, then implement more globally. I only have a rule that challenges >= 10, and it’s placed after several other behavior and location based rules, so it’s rarely ever triggered.

1 Like