Scraping detections

Scraping behavioral detection IDs allow you to better protect your website from volumetric scraping attacks by identifying anomalous behavior. The detection IDs below are specifically designed to catch suspicious scraping activity at the zone level.

Detection ID	Description
50331648	Observes patterns of requests sent to your zone, dynamically analyzing behavior by ASN.
50331649	Observes patterns of requests sent to your zone, dynamically analyzing behavior by JA4 fingerprint.

Challenges for scraping detections

Cloudflare's Managed Challenge can limit scraping attacks on your website.

To access scraping detections:

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and domain.
2. Go to Security > WAF.
3. Under Custom rules, select Create rule.
4. Fill out the form using Bot Detection IDs along with other necessary information.
5. Select Save as draft to return to the rule later, or Deploy to deploy the rule.

New dashboard

1. In the Cloudflare dashboard, go to the Security rules page.

   Go to Security rules

2. Select Create rule and choose Custom rule.

3. Fill out the form using Bot Detection IDs along with other necessary information.

4. Select Save as draft to return to the rule later, or Deploy to deploy the rule.

Rule example

(any(cf.bot_management.detection_ids[*] eq 50331649))

Best practice

If you are choosing to challenge as your rule action, check for any API calls on which you do not want to issue a challenge. To exclude requests to such paths, edit the WAF custom rule to exclude the relevant paths.

Limit scraping requests with scraping detections

Rate limiting rules can limit the number of requests from a particular ASN or JA4 Fingerprint so long as it continues to exhibit suspicious behavior.

To use rate limiting rules with scraping detections:

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and domain.
2. Go to Security > WAF.
3. Under Rate limiting rules, select Create rule.
4. Fill out the form using the Custom expression builder and cf.bot_management_detection_ids along with other necessary information.
5. Select Save as draft to return to the rule later, or Deploy to deploy the rule.

New dashboard

1. In the Cloudflare dashboard, go to the Security rules page.

   Go to Security rules

2. Select Create rule and choose Rate limiting rule.

3. Fill out the form using the Custom expression builder and cf.bot_management_detection_ids along with other necessary information.

4. Select Save as draft to return to the rule later, or Deploy to deploy the rule.

Note

Detection IDs 50331648 and 50331649 are dynamically recalculated, meaning a single fingerprint would not be permanently rate limited unless it continues to remain suspicious at all times. Rate limiting on these detection IDs allows for more lenient controls, as opposed to immediately challenging or blocking.