WAF rule for blocking user agents that do not come from a browser

I have been noticing increasing traffic on the frontend of my application that is coming from non browsers. At present I have some code in my frontend app and using an external user agent package to parse the user agent, if it is unknown (likely a non browser request) then block this request.

I would like to replicate this within Cloudflare so I can remove the code and make it easier to maintain. Is there a particular rule or combination of rules I can setup in my WAF to block requests for my app domain if they do not come from a browser? Essentially stopping any API requests on my frontend app’s pages.


Hello, you should be able to configure a similar rule using Custom Rules. For example, you can create a Custom Rule to Block all requests if they don’t come from a specific User Agent:

More information about Custom Rules can be found here:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.