Cloudflare Docs
Visit WAF on GitHub
Set theme to dark (⇧+D)

Cloudflare User Agent Blocking

User Agent Blocking rules block specific browser or web application  User-Agent request headers. These rules apply to the entire domain instead of individual subdomains.

User Agent Blocking rules are applied after Zone Lockdown rules. If you allow an IP address via Zone Lockdown, it will skip any User Agent Blocking rules.

​​ Availability

Cloudflare User Agent Blocking is available on all plans. The number of available User Agent Blocking rules depends on your Cloudflare plan.

Free Pro Business Enterprise


Yes Yes Yes Yes

Number of rules

10 50 250 1,000

​​ Create a User Agent Blocking rule

  1. Log in to the Cloudflare dashboard and select your account and domain.

  2. Go to Security > WAF, and select the Tools tab.

  3. Under User Agent Blocking, select Create blocking rule

  4. Enter a descriptive name for the rule in Name/Description.

  5. In Action, select the action to perform: Managed Challenge, Block, JS Challenge, or Interactive Challenge.

  6. Enter a user agent value in User Agent (wildcards such as * are not supported). For example, to block the Bad Bot web spider, enter BadBot/1.0.2 (+

  7. Select Save and Deploy blocking rule.

Issue a POST request for the Create a User Agent Blocking rule operation.

For example:

curl "{zone_id/firewall/ua_rules" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"description": "Block Bad Bot web spider",
"mode": "block",
"configuration": {
"target": "ua",
"value": "BadBot/1.0.2 (+"