Confused as to why 'Javascript Detections' is available to Free plans

What is the name of the domain?

not applicable

What is the issue you’re encountering

I am confused as to why ‘Javascript Detections’ is available to Free plans under Bot Traffic configurations, even though the plan does not allow us to use BFM fields for use in WAF custom rules.

Specifically the cf.bot_management.js_detection.passed field as outlined in the documentation.

More so, you can enable this configuration with Bot Fight Mode disabled, which leads to the script being fired on first load to check for Bot-ness.

But for what purpose if you can’t retrieve the boolean value from it in WAF custom rules (the confusion here)?

image1162×428 29.7 KB

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

This has been rectified in the latest update on 1 Jul 2025, for Free plans, where you must enable BFM which in turn enable JS detections, meaning you cannot enable JS detection separately when BFM is disabled.

The toggle to enable or disable Javascript Detections on its own is removed and replaced with a text tooltip.

image955×330 11.6 KB

This topic was automatically closed after 15 days. New replies are no longer allowed.