Super Bot Fight Mode blocking curl requests from web server and Facebook bots

Followup: I’m disabling Super Bot Fight Mode.

This feature badly breaks website functionality without sufficient warning. It blocked origin requests! It what world is bot traffic from origin considered something to block by default? This interfered with payment gateway transactions on our site.

There’s no way to whitelist known good bots. It blocked social media sites like Flipboard from accessing our rss feed to update content. Flipboard uses dozens of IPs that are not in any clear range. Whitelisting by ASN would be possible, but would disable all security including firewall rules for all traffic from that ASN which leave a significant hole in the security.

I’m surprised there is not a beta tag or warning on this feature.

1 Like

Apparently, it’s working as expected. I understand your frustration; a significant chunk of the community agrees that bot fight mode is currently somewhat irrelevant for most websites due to the lack of flexibility.

I believe that the main reason for this is that bot management and firewall/IP access are on different layers and have difficulty communicating. If you want flexibility while using the bot protection module, you need to be part of the enterprise program (bot management), which is quite expensive for most people.

Force-allowing an AS in IP Access Rules is working for us. I’m raising a ticket with CloudFlare because this AS should not be blocked afaik.