Rant, Cloudflare Bot Fight Mode doesn’t provide firewall bypass or whitelist?

So my rant today is directed at Cloudflare. Why? Because they really kinda pissed me off here.

There is a feature under all Cloudflare plans called “Bot Fight Mode” which is supposed to help with blocking bots or automated attacks. For instance, if you suffer from card testing attacks.

But here’s the problem, what if Cloudflare thinks Zapier is a bot? Or the origin IP address of the DNS record, aka your server. You’re screwed unless you have an enterprise plan.

The Cloudflare firewall only comes into play after Bot Fight Mode and before the IP Access Rules. So you can add the origin IP Address of your server to the IP Access Rules and bypass Bot Fight Mode. However for Zapier, since they’re on AWS that could mean allow all of AWS. Which is a huge network, and attacks can originate from AWS.

Ideally, you would put in a firewall rule to allow the Zapier endpoint *wc-zapier* to bypass the Bot Fight Mode. But you can’t.

There’s lots of talk on the Cloudflare community forums.

If you have a bot or automation software like Zapier, you can submit it to Cloudflare to be whitelisted. As per this FAQ article.


I’ve submitted Zapier so we’ll see what happens!