CF Workers and Rate Limiting, Firewall Rules, Bot Management


Can anyone shed light on the order in which the following rules apply?

  1. Bot Fight Mode / Bot Management / Security Rules
    Unknown? Presumably this is before Workers because Workers get a “Threat Score” header?

  2. Workers
    Workers come before the cache; does this mean they come before bot fight / firewall / rate limiting rules?

  3. Firewall Rules
    Firewall Rules can “bypass” WAF, Rate Limiting, Browser Integrity checks… so they must come before the WAF/Rate Limiting etc

  4. WAF Managed Rules

  5. Rate Limiting

  6. Page Rules

Use cases / questions:

Why is bot fight mode not enabled by default? What is the risk? Percentage of false positives for example?

For example Rate Limit in one zone – let me set a flag in the CF Worker’s KV so that I can block the IP in other zones also. Is is possible to leverage CF tooling or would I have to build my own?

Advanced Blocking

Class ‘C’: If more than x IPs from same class C have been detected in past x hours across all zones, block the class C for z mins?

ASN Rep: Threat score for ASN, class C and IP?

1 Like

Hey, @KentonVarda really could use some help here…

Security features – which is most of what’s on your list – run before Workers.

“Page Rules” aren’t really a feature in themselves, but rather control other features. Whether a page rule runs before or after Workers depends on what feature it is controlling. E.g. a redirect or cache-related page rule will run after workers, but security-related ones will run before.

Sorry, I’m not sure what order the features run in relative to each other; I only know where they run relative to Workers.