Does the Worker Route come before WAF rules?

Hi, I would like to know if a Worker Route comes before WAF rules. I’m investigating a scenario where a bot made many requests to a host mapped to the Worker Route. The bot is probably configured to not follow redirects because it received a 301 HTTP status code on all requests. But what I noticed was that we have specific rules to block unauthorized bots as well as rate limiting rules in WAF. But none of these WAF rules caught the bot


WAF comes before Workers. However, Redirect Rules (and other rules) come before WAF.

These requests were not blocked because they didn’t follow the redirects, otherwise they’d be seen by WAF and, if a rule matched, they would’ve been blocked/challenged.