Skip to main content
The Bot Management API allows you to configure bot detection and mitigation settings for your zones. It supports Bot Fight Mode, Super Bot Fight Mode, and Bot Management for Enterprise with advanced ML-based bot detection.

Initialize the Bot Management resource

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env.CLOUDFLARE_API_TOKEN,
});

const botManagement = client.botManagement;

Configuration management

Get configuration

Retrieve the current Bot Management configuration for a zone. 
const config = await client.botManagement.get({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
});

Update configuration

Update Bot Management settings for a zone. 
const config = await client.botManagement.update({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
  ai_bots_protection: 'block',
  cf_robots_variant: 'policy_only',
  crawler_protection: 'enabled',
  enable_js: true,
  fight_mode: false,
});
zone_id
string
required
Zone identifier
ai_bots_protection
string
Enable rule to block AI Scrapers and Crawlers. Options:
  • block - Block AI scrapers and crawlers
  • disabled - Allow AI scrapers and crawlers
  • only_on_ad_pages - Block only on ad pages (not available for Enterprise)
cf_robots_variant
string
Specifies the Robots Access Control License variant to use. Options:
  • off - Disable robots.txt management
  • policy_only - Use policy-based robots.txt
crawler_protection
string
Enable rule to punish AI Scrapers and Crawlers via a link maze. Options:
  • enabled - Enable crawler protection
  • disabled - Disable crawler protection
enable_js
boolean
Use lightweight, invisible JavaScript detections to improve Bot Management. Learn more about JavaScript Detections.
fight_mode
boolean
Whether to enable Bot Fight Mode
is_robots_txt_managed
boolean
Enable cloudflare managed robots.txt. If an existing robots.txt is detected, then managed robots.txt will be prepended to the existing robots.txt.

Bot Fight Mode configuration

Bot Fight Mode is a basic bot protection plan suitable for smaller sites. 
const config = await client.botManagement.update({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
  fight_mode: true,
  enable_js: true,
  ai_bots_protection: 'block',
});

Super Bot Fight Mode configuration

Super Bot Fight Mode provides enhanced bot protection with more granular control.

Super Bot Fight Mode - Definitely automated

const config = await client.botManagement.update({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
  sbfm_definitely_automated: 'managed_challenge',
  sbfm_verified_bots: 'allow',
  sbfm_static_resource_protection: false,
  optimize_wordpress: true,
});
sbfm_definitely_automated
string
Action to take on definitely automated requests. Options:
  • allow - Allow the request
  • block - Block the request
  • managed_challenge - Issue a managed challenge
sbfm_verified_bots
string
Action to take on verified bot requests. Options:
  • allow - Allow verified bots
  • block - Block verified bots
sbfm_static_resource_protection
boolean
Enable static resource protection. Enable if static resources on your application need bot protection. Note: This can also result in legitimate traffic being blocked.
optimize_wordpress
boolean
Whether to optimize Super Bot Fight Mode protections for WordPress

Super Bot Fight Mode - Likely automated

const config = await client.botManagement.update({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
  sbfm_definitely_automated: 'managed_challenge',
  sbfm_likely_automated: 'managed_challenge',
  sbfm_verified_bots: 'allow',
  sbfm_static_resource_protection: false,
});
sbfm_likely_automated
string
Action to take on likely automated requests. Options:
  • allow - Allow the request
  • block - Block the request
  • managed_challenge - Issue a managed challenge

Bot Management for Enterprise configuration

Enterprise Bot Management provides the most advanced bot detection using machine learning. 
const config = await client.botManagement.update({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
  auto_update_model: true,
  bm_cookie_enabled: true,
  enable_js: true,
  suppress_session_score: false,
  ai_bots_protection: 'block',
});
auto_update_model
boolean
Automatically update to the newest bot detection models created by Cloudflare as they are released. Learn more.
bm_cookie_enabled
boolean
Indicates that the bot management cookie can be placed on end user devices accessing the site. Defaults to true.
suppress_session_score
boolean
Whether to disable tracking the highest bot score for a session in the Bot Management cookie

Cleaning up configuration after plan changes

When upgrading or downgrading your bot management plan, you may need to clean up old configurations.

Clean up for Bot Fight Mode

await client.botManagement.update({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
  sbfm_likely_automated: 'allow',
  sbfm_definitely_automated: 'allow',
  sbfm_verified_bots: 'allow',
  sbfm_static_resource_protection: false,
  optimize_wordpress: false,
  suppress_session_score: false,
});

Clean up for Super Bot Fight Mode Pro

await client.botManagement.update({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
  sbfm_likely_automated: 'allow',
  fight_mode: false,
});

Clean up for Super Bot Fight Mode Business

await client.botManagement.update({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
  fight_mode: false,
});

Clean up for Bot Management Enterprise

Ensure you have custom rules in place to protect your zone before disabling SBFM rules. Without these protections, your zone is vulnerable to attacks.
await client.botManagement.update({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
  sbfm_likely_automated: 'allow',
  sbfm_definitely_automated: 'allow',
  sbfm_verified_bots: 'allow',
  sbfm_static_resource_protection: false,
  optimize_wordpress: false,
  fight_mode: false,
});

Response types

BotFightModeConfiguration

Configuration for Bot Fight Mode.
fight_mode
boolean
Whether Bot Fight Mode is enabled
enable_js
boolean
Whether JavaScript detections are enabled
ai_bots_protection
string
AI bots protection setting
cf_robots_variant
string
Robots Access Control License variant
crawler_protection
string
Crawler protection setting
is_robots_txt_managed
boolean
Whether robots.txt is managed by Cloudflare
using_latest_model
boolean
Whether the zone is using the latest ML model
stale_zone_configuration
object
Unauthorized settings currently active on the zone (typically from upgrades/downgrades)

SubscriptionConfiguration

Configuration for Enterprise Bot Management subscription.
auto_update_model
boolean
Whether automatic model updates are enabled
bm_cookie_enabled
boolean
Whether the bot management cookie is enabled
suppress_session_score
boolean
Whether session score tracking is suppressed
enable_js
boolean
Whether JavaScript detections are enabled
ai_bots_protection
string
AI bots protection setting
using_latest_model
boolean
Whether the zone is using the latest ML model

Build docs developers (and LLMs) love

Get started for freeTalk to us