Learn how Cloudflare User Agent Blocking blocks malicious user agents from visiting your website.
Overview
User Agent Blocking (UA) rules block specific browser or web application User-Agent request headers. UA rules apply to the entire domain instead of individual subdomains. UA rules are applied after Zone Lockdown rules, so permitting an IP address via Zone Lockdown skips UA rules.
The maximum number of allowed UA rules is based on plan type:
- Free: 10
- Lite: 50
- Pro: 50
- Pro Plus: 250
- Business: 250
- Enterprise: 1,000
Create a User Agent Blocking rule
1. Log in to your Cloudflare account.
2. Select the appropriate domain.
3. Navigate to Security > WAF > Tools.
4. Under User Agent Blocking, click Create Blocking Rule.
5. Enter the Name/Description.
6. Select an applicable Action of either Block, Legacy CAPTCHA, Managed Challenge, or JS challenge.
7. Enter the User Agent. For example, to block the Bad Bot web spider:
BadBot/1.0.2 (+http://bad.bot)
Note: Wildcards (*) are not supported.
8. Click Save and Deploy.