Super Bot Fight Mode
By the end of this lesson you will understand how Super Bot Fight Mode detects and blocks automated traffic, and how to configure it for your site.
What Is Super Bot Fight Mode?
Super Bot Fight Mode (SBFM) is a Cloudflare feature that automatically detects and blocks malicious bot traffic. It uses machine learning and behavioral analysis to classify visitors as human, verified bot (like Googlebot), or unverified bot.
flowchart TD
REQUEST["Incoming Request"] --> CLASSIFY{"Bot Score\nClassification"}
CLASSIFY -->|"Likely Human\n(Score 30-100)"| PASS["✅ Allow"]
CLASSIFY -->|"Verified Bot\n(Googlebot, Bingbot)"| VERIFIED["✅ Allow\n(Known good bots)"]
CLASSIFY -->|"Likely Bot\n(Score 1-29)"| ACTION{"SBFM\nAction"}
ACTION -->|"Challenge"| CHALLENGE["Managed Challenge"]
ACTION -->|"Block"| BLOCK["❌ Block"]
style PASS fill:#16a34a,color:#fff,stroke:#15803d
style VERIFIED fill:#2563eb,color:#fff,stroke:#1e40af
style BLOCK fill:#dc2626,color:#fff,stroke:#b91c1c
Bot Score
Cloudflare assigns a bot score (1–99) to every request:
| Score | Classification | Examples |
|---|---|---|
| 1–29 | Likely automated (bot) | Scrapers, credential stuffers, spam bots |
| 30–49 | Uncertain | Could be a bot or a human on an unusual network |
| 50–99 | Likely human | Regular browser users |
| Verified Bot | Known good bot (separate classification) | Googlebot, Bingbot, Cloudflare monitoring |
SBFM vs Full Bot Management
| Feature | Super Bot Fight Mode (Free/Pro) | Bot Management (Enterprise) |
|---|---|---|
| Bot score | ✅ Basic classification | ✅ Detailed 1-99 scoring |
| Verified bots | ✅ Allow-list | ✅ Granular control |
| Action options | Challenge or Block | Challenge, Block, or custom (Workers) |
| Custom rules using bot score | ❌ | ✅ |
| Analytics | Basic | Detailed bot analytics |
| JavaScript detection | ✅ | ✅ + ML fingerprinting |
| Cost | Free / Pro | Enterprise |
Configuring Super Bot Fight Mode
Free Plan
- Go to Security → Bots
- Under Bot Fight Mode, toggle On
On the free plan, you can:
- Enable/disable Bot Fight Mode
- Bot Fight Mode will challenge requests that appear to be automated
Pro Plan
On the Pro plan, you get Super Bot Fight Mode with more options:
| Setting | Options |
|---|---|
| Definitely automated | Allow, Block, or Managed Challenge |
| Likely automated | Allow, Block, or Managed Challenge |
| Verified bots | Allow or Block |
| Static resource protection | On/Off (protects JS, CSS, images from bots) |
| JavaScript detection | On/Off (injects a lightweight JS snippet for detection) |
Be cautious when blocking "Likely automated" traffic — this can cause false positives for users on VPNs, corporate networks, or unusual browser configurations.
What SBFM Protects Against
| Threat | Description |
|---|---|
| Content scraping | Bots that copy your content for competing sites |
| Credential stuffing | Automated login attempts using stolen credentials |
| Inventory hoarding | Bots that add items to shopping carts without purchasing |
| Comment/form spam | Automated spam submissions |
| Price scraping | Competitors tracking your pricing |
| SEO spam | Bots generating fake backlinks or traffic |
Verified Bots
Cloudflare maintains a list of verified bots — legitimate crawlers that you typically want to allow:
| Bot | Purpose |
|---|---|
| Googlebot | Google search indexing |
| Bingbot | Bing search indexing |
| Yandexbot | Yandex search indexing |
| Slurp | Yahoo search indexing |
| DuckDuckBot | DuckDuckGo indexing |
| Facebot | Facebook link preview |
| Twitterbot | Twitter card preview |
| LinkedInBot | LinkedIn link preview |
SBFM allows verified bots by default. These bots are identified by their IP ranges and reverse DNS, not just their User-Agent (which can be spoofed).
Common Misconceptions
"Bot Fight Mode blocks all bots"
Reality: SBFM specifically targets malicious and unverified bots. Verified bots (search engines, social media crawlers) are allowed through by default.
"SBFM replaces a WAF"
Reality: SBFM handles bot detection. A WAF (Web Application Firewall) handles vulnerability exploitation (SQL injection, XSS, etc.). They complement each other — WAF is a paid feature.
"Enabling SBFM will break my API"
Reality: If your API is called by legitimate automated clients, SBFM may challenge or block them. For APIs consumed by automated clients, consider excluding those paths from SBFM using custom rules (Pro+) or using API tokens for authentication.
Key Takeaways
- Super Bot Fight Mode provides automated bot detection — free on all plans.
- It classifies traffic using a bot score (1-99) and verified bot detection.
- Verified bots (Googlebot, Bingbot) are allowed by default.
- The free plan offers basic on/off toggle; Pro adds granular control.
- SBFM protects against scraping, credential stuffing, form spam, and more.
- Be careful with aggressive settings — they can cause false positives for VPN/corporate users.
What's Next
- Continue to Zero Trust and SASE to learn about Cloudflare's Zero Trust security platform.