PageSpeed Insights blocked in "Under Attack Mode" despite active allowlist rule

Website, Application, Performance Security
1

What is the name of the domain?

example[dot]com (real domain masked)

What is the error message?

PageSpeed Insights test fails with “Lighthouse returned error: ERRORED_DOCUMENT_REQUEST” while Under Attack Mode is enabled, even though a user agent allowlist rule for Chrome-Lighthouse is active.

What is the issue you’re encountering

I’m using “Under Attack Mode” to mitigate DDoS traffic, but PageSpeed Insights requests are still being blocked even though I have an active WAF custom rule that allowlists Google-related User Agents (e.g., Chrome-Lighthouse, Google PageSpeed Insights, AdsBot-Google, Googlebot). The rule is confirmed to be active and matching in Cloudflare logs, but the PageSpeed test fails with a connection error.

What steps have you taken to resolve the issue?

I created and activated a custom WAF rule to skip security checks for known Google User Agents (including Chrome-Lighthouse and Googlebot). I also tested the rule in Cloudflare and verified that it matches the requests correctly. Additionally, I deactivated and reactivated the rule and ran multiple PageSpeed tests. I also tested it with and without “Under Attack Mode” to compare the results.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

  1. Enable “Under Attack Mode” in Cloudflare for the domain.
  2. Ensure the WAF rule to skip known Google User Agents (e.g., Chrome-Lighthouse, Google PageSpeed Insights) is active.
  3. Go to https://pagespeed.web.dev/ and test the domain.
  4. The PageSpeed test fails with a 403 error or “Lighthouse returned error: ERRORED_DOCUMENT_REQUEST”, even though the request appears in the Cloudflare logs as “skipped”.
2

That mode is only recommended as a last resort, while your website appears to be under attack.

It cannot be recommended to keep that mode enabled all the time.

To my knowledge, these WAF Rules cannot skip “Under Attack Mode”.

1 Like
3

Hi @DarkDeviL, thank you very much for your input!

You’re absolutely right: the “Under Attack Mode” should only be enabled when there’s an actual attack. I want to clarify that I only enable it temporarily, and in my case, the most recent DDoS attack lasted nearly 10 hours – which is why I was looking for a way to keep critical bots like Googlebot or PageSpeed Insights working during that time.

:white_check_mark: Solution: Allow Verified Bots Even During “Under Attack Mode”

It’s often said that WAF rules can’t bypass Under Attack Mode, but I’d like to share a working approach that actually does.

I created a custom WAF rule that exempts all verified bots (like Googlebot, Chrome-Lighthouse, AdsBot-Google, etc.) from all security checks – even during Under Attack Mode.

The rule:

  • Expression: cf.client.bot
  • Action: Skip
  • Placement: First
  • Skipped components:
    :check_box_with_check: All remaining custom rules
    :check_box_with_check: All rate limiting rules
    :check_box_with_check: All managed rules
    :check_box_with_check: All “Super Bot Fight Mode” rules

Result:

  • Googlebot traffic is no longer blocked.
  • PageSpeed Insights tests work again, even with Under Attack Mode active.
  • Verified via Cloudflare logs and several test runs.

Hopefully this helps others facing similar issues during extended attacks while still needing reliable indexing and performance checks.

Thanks again for your helpful comment and your time!

4

UPDATE – Google Ads Bots now also verified working :white_check_mark:

I’d like to add that Google Ads Bots (AdsBot-Google) are now also confirmed to be working while “Under Attack Mode” is active – with the updated WAF rule.

:wrench: Final WAF Rule (full bot support incl. AdsBot & PageSpeed):

(cf.client.bot or
http.user_agent contains “AdsBot-Google” or
http.user_agent contains “Googlebot” or
http.user_agent contains “Chrome-Lighthouse” or
http.user_agent contains “PageSpeed”)

:shield: Skip action
:round_pushpin: Placed first
:white_check_mark: Skip all WAF modules, incl.
:check_box_with_check: Zone Lockdown
:check_box_with_check: User Agent Blocking
:check_box_with_check: Security Level
:check_box_with_check: Browser Integrity Check
:check_box_with_check: All legacy modules

:chart_increasing: Result:

  • Ads were rejected last night due to 403 errors – but after adjusting the rule, Google Ads bots are now verified in Cloudflare logs.
  • PageSpeed & Search Console Live Test also working.
5

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.