Slack Bot Link Expander is blocked by Cloudflare

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?

Please share your search results url:

When you tested your domain, what were the results?
403 blocked by Cloudflare’s Bot fight mode

Describe the issue you are having:
Preview is unavailable when posting a Wordpress blog post into Slack. Contacted Slack and they said their Bot is listed as Rank 34 but Cloudflare is blocking the SlackBot which is responsible for link expansion. They said there’s nothing they can do on their end and said I need to work with Cloudflare

What error message or number are you receiving?

What steps have you taken to resolve the issue?

  1. Verify no existing firewall rules
  2. Contacted Slack Support

Was the site working with SSL prior to adding it to Cloudflare?

What are the steps to reproduce the error:

  1. Attempt to share blog post ( on Slack and preview is unavailable

Slack also provides tool to test unfurling and returns 403 as alternative confirmation

Have you tried from another browser and/or incognito mode?

Please attach a screenshot of the error:
Attached above

The block was performed by Bot Fight Mode. There’s currently no way to exempt specific paths from BFM. You need to turn it off.

and other users are okay with this? I find it quite strange that Slack has submitted for Bot Verification and yet CF isn’t adhering to this and the only option is to disable the protection? Was there a change in process recently as this used to work at least late last year and I had only noticed when folks were sharing in Slack, things weren’t getting rendered. I’ve not seen this problem across other platforms where preview was breaking, so I find this a really strange issue that folks seem to be aware but are okay with …

Both BFM and SBFM are subject to false positives. The standard recommendation is that BFM should only be used during an attack. If your domain is under current attack by bots, you’ll need to find out what’s more important: to protect you domain, or to share URLs on Slack. An alternative would be to upgrade your plan, as paid plans can use Super Bot Fight Mode instead, and for this you can create WAF custom rules with Skip action.

That, of course, says nothing about Slackbot being or not being verified. That’s an issue for Slackbot developers to bring up with Cloudflare Team, as verified bots should not be subject to the actions of Cloudflare bot products, AFAIK.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.