User Agent Blocking
User Agent Blocking allows you to block specific browser or web application User-Agent request headers ↗. User agent rules apply to the entire domain instead of individual subdomains.
User agent rules are applied after zone lockdown rules. If you allow an IP address via Zone Lockdown, it will skip any user agent rules.
Cloudflare User Agent Blocking is available on all plans. However, this feature is only available in the new security dashboard if you have configured at least one user agent rule.
The number of available user agent rules depends on your Cloudflare plan.
| Free | Pro | Business | Enterprise | |
|---|---|---|---|---|
| Availability | Yes | Yes | Yes | Yes | 
| Number of rules | 10 | 50 | 250 | 1,000 | 
- 
Log in to the Cloudflare dashboard ↗ and select your account and domain. 
- 
Go to Security > WAF, and select the Tools tab. 
- 
Under User Agent Blocking, select Create blocking rule. 
- 
Enter a descriptive name for the rule in Name/Description. 
- 
In Action, select the action to perform: Managed Challenge, Block, JS Challenge, or Interactive Challenge. 
- 
Enter a user agent value in User Agent (wildcards such as *are not supported). For example, to block the Bad Bot web spider, enterBadBot/1.0.2 (+http://bad.bot).
- 
Select Save and Deploy blocking rule. 
- 
Log in to the Cloudflare dashboard ↗ and select your account and domain. 
- 
Go to Security > Security rules, and select Create rule > User agent rules. 
- 
Enter a descriptive name for the rule in Name/Description. 
- 
In Action, select the action to perform: Managed Challenge, Block, JS Challenge, or Interactive Challenge. 
- 
Enter a user agent value in User Agent (wildcards such as *are not supported). For example, to block the Bad Bot web spider, enterBadBot/1.0.2 (+http://bad.bot).
- 
Select Save and Deploy blocking rule. 
Issue a POST request for the Create a User Agent Blocking rule operation similar to the following:
Required API token permissions
 
At least one of the following token permissions 
is required:
- Firewall Services Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/firewall/ua_rules" \  --request POST \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "description": "Block Bad Bot web spider",    "mode": "block",    "configuration": {        "target": "ua",        "value": "BadBot/1.0.2 (+http://bad.bot)"    }  }'Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark