What Is Cloudflare Bot Management?

By the Scrappey Research Team

Paste into ChatGPT, Claude, or any LLM

What Is Cloudflare Bot Management? — conceptual illustration

On this page

Cloudflare Bot Management is the enterprise-tier ML scoring system Cloudflare runs on every request to a protected zone. In plain terms: it watches each incoming request and uses machine learning (ML) to guess whether a human or a script sent it. Unlike Turnstile — a friction-light CAPTCHA widget that fires on specific endpoints — Bot Management scores every request silently and emits a Bot Score from 1 (definitely bot) to 99 (definitely human) that customer-side Workers and rules can act on. It sits behind roughly 20% of all internet traffic and trains its model on the entire Cloudflare network.

Tier	Enterprise add-on (Bot Fight Mode is the free downgrade)
Detection cookie	__cf_bm (rotates ~30 min), cf_clearance (after passed challenge)
Response header	cf-ray on every response; cf-mitigated: challenge when blocked
Output	Bot Score 1–99 + verified-bot label (e.g. Googlebot) on every request
Network advantage	Trained on global Cloudflare traffic — fingerprint burns are network-wide

How Bot Management scores a request

Cloudflare calculates the Bot Score at its edge — the network of servers between the visitor and the website — before the origin server (the customer's actual backend) ever sees the request. The inputs are the JA4 TLS fingerprint (a signature of how the client opens an encrypted https connection), the HTTP/2 SETTINGS frame (low-level connection settings that often give away automation tools), IP reputation, ASN type (the kind of network the IP belongs to, e.g. a datacenter vs. a home ISP), request rate patterns, and — when a JavaScript challenge has fired previously — the __cf_bm cookie carrying the result. The score is exposed to the customer via the cf.bot_management.score field in Workers and in firewall rules.

The customer decides what to do with the score. A common setup is block under 30, challenge 30–60, allow above 60, with allowlists for verified bots (Googlebot, Bingbot — Cloudflare maintains the list and labels them). Because the model is shared across the whole network, a scraper that fingerprints as Bot Score 12 will get blocked or challenged on every protected site at once.

Bot Management vs Turnstile vs Bot Fight Mode

Three Cloudflare products are easy to mix up, so here is how they differ:

Product	Tier	What it does
Bot Fight Mode	Free	Blunt heuristic block of known datacenter / cloud IPs. Easy to identify (blocks before JS runs) and the lightest of the three layers; a residential proxy changes the IP reputation it keys on.
Bot Management	Enterprise	Continuous ML scoring per request. Authorized automation needs a coherent, consistent browser configuration across all four detection layers to score as a normal client.
Turnstile	Free / managed	A widget you embed on a specific endpoint (login, signup). Issues `cf_clearance` on solve. Can be invoked by Bot Management as a challenge.

A single protected site can run all three in layers: Bot Fight Mode catches the cheap traffic, Bot Management scores the rest, and Turnstile is shown when the score is borderline.

How different clients score

Scores as a bot: Python requests with a Chrome User-Agent — the header claims Chrome but the connection fingerprint doesn't match, so Bot Score lands around 3. Playwright with default settings also scores low, because CDP (the Chrome DevTools Protocol it uses to drive the browser) leaks and the score is ~15. Datacenter proxies of any flavour, and residential proxies with a mismatched timezone, score poorly too.

For authorized automation behind the free tier (Bot Fight Mode): curl_cffi with Chrome impersonation (it copies Chrome's real TLS fingerprint) plus a residential proxy generally presents a consistent client.

For authorized automation behind Bot Management: a real browser such as Camoufox or CloakBrowser with a clean residential or ISP IP, a matched Accept-Language header, and patient request pacing keeps the configuration coherent. High-volume workflows on sites you are permitted to access often route through a managed API. The tell-tale sign that Bot Management (not the free tier) is in front of you is the cf-mitigated header on a block — Bot Fight Mode blocks return a plain 403 with no cf-mitigated.

Code example

python

# Detecting which Cloudflare layer is in front of you (use on sites you are permitted to access)
from curl_cffi import requests

s = requests.Session(impersonate="chrome131")
proxies = {"https": "http://user:pass@residential:port"}

r = s.get("https://target.com/", proxies=proxies)

# Inspect to confirm what you're facing
cf_ray = r.headers.get("cf-ray")
cf_mitigated = r.headers.get("cf-mitigated")
print(f"cf-ray: {cf_ray}")            # Present = behind Cloudflare
print(f"cf-mitigated: {cf_mitigated}") # Present = Bot Management active
print(f"status: {r.status_code}")

Related terms

What Is Cloudflare Turnstile?

Cloudflare Turnstile is a service that checks whether a visitor is a real human, but without showing the kind of puzzle a normal CAPTCHA doe…

What Is TLS Fingerprinting (JA3/JA4)?

TLS fingerprinting is a way to recognize what software made a connection just by looking at how it sets up encryption — before the server re…

Anti-Bot Vendor Detection Cheatsheet

A useful first step when working with any protected site you are authorized to access is identifying which anti-bot vendor sits in front of …

What Is Cloudflare Error 1015?

Cloudflare error 1015 "You are being rate limited" means a website is blocking you because you sent too many requests too quickly. The site …

What Is Anti-Bot Detection?

Anti-bot detection is the set of techniques websites use to tell automated traffic apart from real human visitors — and then block, challeng…

What Is a Residential Proxy?

A residential proxy sends your web traffic through a real home internet connection — a regular broadband or fiber line — instead of through …

What Is a 520 Error?

HTTP 520 is a non-standard Cloudflare status code meaning the origin server returned a response Cloudflare cannot interpret. Cloudflare is a…

Concept map

How Cloudflare Bot Management connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Anti-Bot

Tools & solutions for this topic

Frequently asked questions

How is the Bot Score actually computed?

Cloudflare doesn't publish the model, but the inputs are public: the JA4 TLS fingerprint, HTTP/2 framing, IP and ASN reputation, request cadence, the __cf_bm cookie if one was issued earlier, and prior interactions with the Cloudflare network. The score is recalculated on every request, so a long-lived session can drift up or down over time.

Can I see my own Bot Score on a Cloudflare-protected site?

Only if the site chooses to expose it — some debug pages do, via the cf-bot-score response header when it's enabled. Otherwise, inspect the cf-mitigated header on blocked requests: if it's present, Bot Management decided to mitigate (block or challenge) you.

Is Bot Fight Mode enough of a signal to detect "Cloudflare without Bot Management"?

Yes. Bot Fight Mode blocks datacenter ASNs (datacenter networks) at the edge with a generic 403 — no cf-mitigated header, no JS challenge, no Turnstile. If you can get through with just a clean residential IP and curl_cffi, you are facing Bot Fight Mode, not the heavier Bot Management.

Does the verified-bot list cover non-search engines?

Yes. Cloudflare's verified-bot category includes major search engines, monitoring services (UptimeRobot, Pingdom), social media link previewers, and some AI training crawlers (GPTBot, Claude-Web). Cloudflare maintains this list itself, and customers cannot add to it directly.

Last updated: 2026-05-31