Super Bot Fight Mode - What to know

Introduction :logo:

While blocking bots is appealing, we often find in the community that people run into issues while using Super Bot Fight Mode (SBFM). Below you can find a quick summary of the most common questions.

How to create a bypass rule for SBFM? :logo:

In short, you can’t ; however, there is one workaround that might work for some setups.
IP Access Rules can allow you to exclude an IP or set of IPs from being challenged by SBFM; however, this carries a few issues:

  1. IPs can change, and you will have to maintain the allowlist up to date yourself.
  2. Many solutions do not provide an IP range to allowlist but a set of headers and patterns that do not necessarily include IPs.
  3. IP Access Rules will give free way to any requests coming from the allowed IPs, effectively bypassing WAF and other security measures you have set up.

Note that this is a hotfix and isn’t officially supported by Cloudflare; some customers have reported in the past that using IP Access Rules didn’t solve the issues they were facing.

Why is SBFM blocking insert_name? :logo:

SBFM is very aggressive and sensitive; anything that isn’t a browser risks being flagged as a bot. The protection might go as far as flagging requests made from browsers indirectly.
There are some exceptions; Cloudflare’s known bots will skip the protection as they are beneficial for most CF customers.

My site doesn’t work after adding SBFM. :logo:

As a rule of thumb, most websites that aren’t static will suffer some malfunction after enabling SBFM.
There are exceptions, but the general experience shows that SBFM isn’t suitable for most websites that rely on dynamic content.
You could try relying on IP Access rules as described earlier or disabling the protection to fix this.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.