Based on my experience, this setting will not turn on automatically - unless you are the one who enabled it. This means, you are giving Cloudflare’s permission to inject a small JavaScript code to improve Bot Management products.
I did turn on bot fight mode, but it was not clear that that injects javascript. I thought it was more of a captive portal on cloudflare’s end, the typical “checking your browser before accessing…” page.
Where is the “JavaScript detections” setting? I can’t find it.
The JavaScript Detections (JSD) engine identifies headless browsers and other malicious fingerprints. This engine performs a lightweight, invisible JavaScript injection on the client side of any request while honoring our strict privacy standardsOpen external link. We do not collect any personally identifiable information during the process. The JSD engine either blocks, challenges, or passes requests to other engines.
checking raw HTTP requests can’t give any accurate nor updated protection against bot/DDoS attacks, javascript collectors/challenges are needed in order to properly classify traffic and determine whether if it’s potentially malicious or not.