Website blacklisted becuase of Cloudflare

Hello,

My website has been included in the Disconnect.me blacklist (which is used by Firefox) because of a file that CloudFlare shows as being part of my website (/cdn-cgi/bm/cv/2172558837/api.js)

I have found some threads about this file (e.g. Sucuri has flagged as a malware file ) and the only possible solution (I am not sure if it would work, since some people said it didn’t) is to disable Bot Fight Mode, something which I am apparently allowed to do only if I get the Pro version of Cloudflare: https://developers.cloudflare.com/bots/about/javascript-detections

Maybe Cloudflare should do something about this? My website shouldn’t be in a blacklist used by Firefox just because I use Cloudflare.

If there is no other way about it, then I would upgrade to pro to resolve this issue. Can you confirm that this file (and anything similar) can be removed with Pro?

Unfortunately yes.

https://developers.cloudflare.com/bots/about/javascript-detections#enable-javascript-detections

For Free customers (Bot Fight Mode), JavaScript detections are automatically enabled and cannot be disabled.

For all other customers (Super Bot Fight Mode and Bot Management for Enterprise), JavaScript detections are optional. To adjust your settings, go to Firewall > Bots .

That’s strange. I can disable Bot Fight Mode on my Free Plan:

I use Firefox exclusively and have never faced this issue.

But you can’t disable JavaScript detections specifically in free plan. From my understanding, I think he wants to keep Bot Fight Mode on but without JavaScript detections.

That what the docs say. Oddly enough, I spend a lot of time looking at my sites with Dev Tools and can’t recall ever seeing that resource load. That doesn’t mean it doesn’t happen to others, so it makes me think that Disconnect Me hits sites looking totally like a bot, trigger bot fight mode, then get all upset they’ve been fingerprinted and put the site on a block list.

The description at GitHub isn’t even about Bot Fight Mode. It’s about hCAPTCHA.

1 Like

No, I don’t need “Bot Fight Mode”, and it is currently disabled.

So I am not sure if upgrading to Pro will fix this issue or not.

May I know what is your website?

If you go to yoursite.com/cdn-cgi/bm/cv/2172558837/api.js do you get a 404? I get the file, which appears to be empty (but apparently I still get blacklisted because of it)

Every site at Cloudflare has a collection of resources in /cdn-cgi/. Whether or not it’s actually ever called is a different issue.

1 Like

I noticed something interesting:

If I turn off Bot Fight Mode, the file will return empty, but if I turn it on, I will get the JavaScript file content.

Anyway, @Ozy is your website still loading the file when you visit your own website? Because it shouldn’t be happening once you turned off Bot Fight Mode.

Edit: noted on your reply.

1 Like

Mine was always off. I don’t know if it sometimes does something even when turned off (this is what the article you linked to earlier implies) or if just the presence of that file, even when empty, is a red flag for those that make the blacklist.

Edit: Whenever I load that URL it is always empty. But I still got blacklisted because of it somehow.

Just noticed that. It could be caused by Captcha challenge issued by Cloudflare.

I lowered security to “Essentially off” but I still get that (empty) file.

I wonder If upgrading to Pro will make that file go away (i.e. that URL to return 404) or if it will still return an empty file.

Maybe somebody with a pro account could let me know?

I don’t get the bm/cv file on my free or pro plans, though I do get it on a Biz plan. But I do see the Disable JS Detections option on my Pro plan and Biz plan. Turning it off on Biz returned a 404 instead of the file I saw earlier.

p.s. I should note that I’ve be when using Firefox for all this and have never had a problem viewing my Biz Plan site. But take a look:

Thanks.

To clarify, when you visit /cdn-cgi/bm/cv/2172558837/api.js with your free site you get a 404 or an empty file? Does pro make any difference, or it is just like Free in this regard?

I get a 404 for your serial number.

Unable to test on Pro because I never saw the file.

Thanks. What settings do you have other than having “Bot Fight Mode” off? I can’t get mine to be 404 with the Free version.