What Is Cloudflare Bot Management?

Paste into ChatGPT, Claude, or any LLM

On this page

Cloudflare Bot Management is the enterprise-tier ML scoring system Cloudflare runs on every request to a protected zone. Unlike Turnstile — a friction-light CAPTCHA widget that fires on specific endpoints — Bot Management scores every request silently and emits a Bot Score from 1 (definitely bot) to 99 (definitely human) that customer-side Workers and rules can act on. It sits behind roughly 20% of all internet traffic and trains its model on the entire Cloudflare network.

Tier	Enterprise add-on (Bot Fight Mode is the free downgrade)
Detection cookie	__cf_bm (rotates ~30 min), cf_clearance (after passed challenge)
Response header	cf-ray on every response; cf-mitigated: challenge when blocked
Output	Bot Score 1–99 + verified-bot label (e.g. Googlebot) on every request
Network advantage	Trained on global Cloudflare traffic — fingerprint burns are network-wide

How Bot Management scores a request

Bot Management computes the Bot Score at the Cloudflare edge before the origin server sees anything. The inputs are JA4 TLS fingerprint, HTTP/2 SETTINGS frame, IP reputation, ASN type, request rate patterns, and (when a JS challenge has fired previously) the __cf_bm cookie carrying the result. The score is exposed to the customer via the cf.bot_management.score field in Workers and in firewall rules.

The customer chooses what to do with the score. A common configuration is block under 30, challenge 30–60, allow above 60, with allowlists for verified bots (Googlebot, Bingbot — Cloudflare maintains the list and labels them). A scraper that fingerprints as Bot Score 12 will get blocked or challenged on every protected site simultaneously, because the model is shared.

Bot Management vs Turnstile vs Bot Fight Mode

Three Cloudflare products get conflated:

Product	Tier	What it does
Bot Fight Mode	Free	Blunt heuristic block of known datacenter / cloud IPs. Easy to detect (blocks before JS runs) and easy to bypass (residential proxy).
Bot Management	Enterprise	Continuous ML scoring per request. Hard to bypass without a coherent fingerprint across all four detection layers.
Turnstile	Free / managed	A widget you embed on a specific endpoint (login, signup). Issues `cf_clearance` on solve. Can be invoked by Bot Management as a challenge.

A protected site can run all three layered: Bot Fight Mode catches the cheap traffic, Bot Management scores the rest, Turnstile is surfaced when the score is borderline.

What works and what doesn't

Doesn't work: Python requests with a Chrome User-Agent (Bot Score ~3), Playwright with default settings (CDP leaks score ~15), datacenter proxies of any flavour, residential proxies with a mismatched timezone.

Works for free-tier (Bot Fight Mode): curl_cffi with Chrome impersonation + residential proxy is usually sufficient.

Works for Bot Management: Camoufox or CloakBrowser with a clean residential or ISP IP, matched Accept-Language, and patient request pacing. Hard deployments require a managed API. The signal a Bot Management deployment is in front of you is the cf-mitigated header on a block — Bot Fight Mode blocks return a plain 403 with no cf-mitigated.

Code example

python

# Bot Fight Mode is usually defeated by curl_cffi + a residential IP
from curl_cffi import requests

s = requests.Session(impersonate="chrome131")
proxies = {"https": "http://user:pass@residential:port"}

r = s.get("https://target.com/", proxies=proxies)

# Inspect to confirm what you're facing
cf_ray = r.headers.get("cf-ray")
cf_mitigated = r.headers.get("cf-mitigated")
print(f"cf-ray: {cf_ray}")            # Present = behind Cloudflare
print(f"cf-mitigated: {cf_mitigated}") # Present = Bot Management active
print(f"status: {r.status_code}")

Related terms

What Is Cloudflare Turnstile?

Cloudflare Turnstile is a CAPTCHA-replacement service that verifies a visitor is a human without showing a traditional puzzle. It runs a ser…

What Is TLS Fingerprinting (JA3/JA4)?

TLS fingerprinting is a technique that identifies an HTTP client from its TLS handshake — before the server reads a single request byte. The…

Anti-Bot Vendor Detection Cheatsheet

The first step of any scrape against a protected site is identifying which anti-bot vendor is in front of it. The vendor determines almost e…

What Is Cloudflare Error 1015?

Cloudflare error 1015 "You are being rate limited" is shown when a visitor has exceeded a rate-limiting rule configured by the site owner in…

What Is Anti-Bot Detection?

Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…

What Is a Residential Proxy?

A residential proxy routes your HTTP traffic through a real residential internet connection — a home broadband or fiber line — instead of th…

What Is a 520 Error?

HTTP 520 is a non-standard Cloudflare status code meaning the origin server returned a response Cloudflare cannot interpret. The origin may …

Concept map

How Cloudflare Bot Management connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Anti-Bot

Tools & solutions for this topic

Frequently asked questions

How is the Bot Score actually computed?

Cloudflare doesn't publish the model, but the inputs are public: JA4 TLS fingerprint, HTTP/2 framing, IP and ASN reputation, request cadence, the __cf_bm cookie if previously issued, and prior interactions with the Cloudflare network. The score is recomputed on every request — long-lived sessions can drift up or down.

Can I see my own Bot Score on a Cloudflare-protected site?

Only if the customer site exposes it (some debug pages do via the cf-bot-score response header when enabled). Otherwise inspect the cf-mitigated header on blocks — its presence indicates Bot Management decided to mitigate.

Is Bot Fight Mode enough of a signal to detect "Cloudflare without Bot Management"?

Yes. Bot Fight Mode blocks datacenter ASNs at the edge with a generic 403 — no cf-mitigated header, no JS challenge, no Turnstile. If you can pass with a clean residential IP and curl_cffi alone, you are facing Bot Fight Mode, not Bot Management.

Does the verified-bot list cover non-search engines?

Cloudflare's verified-bot category includes major search engines, monitoring services (UptimeRobot, Pingdom), social media link previewers, and some AI training crawlers (GPTBot, Claude-Web). The list is maintained by Cloudflare and customers cannot add to it directly.

Last updated: 2026-05-27