I was creating a firewall rule with JS challenge for everyone to prevent any bots or bad IPs access it.

I wonder is this unnecessary? Because Cloudflare will automatically challenge/block bots or bad IPs?

Even with free plan? Or this is a paid feature like WAF?

To some extent. Security features in free plan are somewhat limited in terms of capabilities.
Bad IPs will be handled by Security Level feature - you may set the level to High for higher protection.
You may also enable Bot Fight Mode, but it’s not a very powerful feature and other complicated bots will still pass through.

It depends. It’s ok to JS challenge everyone if your users will not get annoyed with the few seconds of challenge page, however you will be blocking good bots like GoogleBot or Bing Bot from accessing your website too. You may consider allowing “Known Bots” in the firewall so that at least good bots can go through.

Anyway, having a firewall rule to JS challenge everyone is doing almost the same stuff as setting Security Level to “I’m Under Attack!”.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.