Create additional rules
1 min read
With your first rule in place, you can then create a broader set of rules to protect your application.
Layer rules
If your application is a bit more complex - for example, receiving mobile application traffic and automated API traffic - you may need to layer your bot protection rules for the best results.
The following two rules might be useful for a site protecting against content scraping, or some other form of bots viewing resources intended for humans. Since the order of the rules matters for rule execution, you should always place your allow rules before block or challenge rules.
Rule 1 - Allow mobile app request
| Expression | Action |
|---|---|
(http.user_agent contains "App_Name 2.0") and (cf.bot_management.ja3_hash eq df669e7ea913f1ac0c0cce9a201a2ec1) and (ip.src in $mobile_app_ips) |
Allow |
Rule 2 - Restrict automated traffic, but exclude /api path
| Expression | Action |
|---|---|
(cf.bot_management.score lt 30) and not (cf.bot_management.verified_bot) and not (http.request.uri.path contains "/api") |
Managed Challenge |
Protect specific endpoints
If bots are submitting data through your forms, your rules may be more focused on protecting specific, more vulnerable endpoints.
| Expression | Action |
|---|---|
(cf.bot_management.score lt 30) and (http.request.method eq "POST") and (http.request.uri.path in {"/api/login" "/api-mobile/login" }) and not (cf.bot_management.verified_bot) and (not cf.bot_management.static_resource) |
Managed Challenge |