cloudflare · pedrosousa · May 7, 2025 · May 5, 2025 · May 5, 2025 · May 5, 2025
@@ -32,7 +32,7 @@ _Note: During a JavaScript challenge you will be shown an interstitial page for
 
 A request that came from an IP address that is not trusted by Cloudflare based on the threat score.
 
-Cloudflare uses threat scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the threat score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity.
+Previously, a threat score represented a Cloudflare threat score from 0–100, where 0 indicates low risk. Now, the threat score is always `0` (zero).
 
 ## Country block
 
@@ -68,4 +68,4 @@ Request that came from a bot.
 
 Unclassified threats comprises a number of automatic blocks that are not related to the Browser Integrity Challenge (Bad Browser). These threats usually relate to Hotlink Protection, and other actions that happen on Cloudflare's global network based on the composition of the request (and not its content).
 
-Unclassified means a number of conditions under which we group common threats related to Hotlink Protection as well as certain cases of IP reputation and specific requests that are blocked at Cloudflare's global network before reaching your servers.
+Unclassified means a number of conditions under which we group common threats related to Hotlink Protection as well as specific requests that are blocked at Cloudflare's global network before reaching your servers.
@@ -4,12 +4,10 @@ source: https://support.cloudflare.com/hc/en-us/articles/204964927-How-does-Clou
 title: Total threats stopped
 ---
 
-Total Threats Stopped measures the number of “suspicious” and “bad” requests that were aimed at your site. Requests receive these labels by our IP Reputation Database as they enter Cloudflare’s network:
+Total Threats Stopped measures the number of “suspicious” and “bad” requests that were aimed at your site. Requests receive these labels as they enter Cloudflare’s network:
 
 - **Legitimate:** Request passed directly to your site.
 - **Suspicious:** Request has been challenged with a [Cloudflare challenge](/fundamentals/security/cloudflare-challenges/).
-- **Bad:** Request has been blocked because our Browser Integrity Check, or because of user configured settings like WAF rules or IP range block.
-
-Cloudflare uses threat scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the threat score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity.
+- **Bad:** Request has been blocked because our Browser Integrity Check, or because of user configured settings like WAF rules or IP Access rules.
 
 In addition to threat analytics you can also monitor search engine crawlers going to your websites. For most websites, threats and crawlers make up 20% to 50% of traffic.
@@ -26,20 +26,19 @@ import { GlossaryTooltip } from "~/components";
 
 2. Enter a URL to trace. The URL must include a hostname that belongs to your account.
 
-3. Select an HTTP method. If you select _POST_, _PUT_, or _PATCH_, you should enter a value in **Request body**.
+3. Select an HTTP method. If you select _POST_, _PUT_, or _PATCH_, you should enter a value in **Request Body**.
 
 4. (Optional) Define any custom request properties to simulate the conditions of a specific HTTP/S request. You can customize the following request properties:
 
    - **Protocol** (HTTP protocol version)
-   - **Request headers**
+   - **User Agent and Request Headers**
    - **Cookies**
    - **Geolocation** (request source [country](/ruleset-engine/rules-language/fields/reference/ip.src.country/), [region](/ruleset-engine/rules-language/fields/reference/ip.src.region/), and [city](/ruleset-engine/rules-language/fields/reference/ip.src.city/))
-   - [**Bot score**](/bots/concepts/bot-score/)
-   - **Threat score**
-   - **Request body** (for `POST`, `PUT`, and `PATCH` requests)
-   - **Skip challenge** (skips a Cloudflare-issued [challenge](/fundamentals/security/cloudflare-challenges/), if any, allowing the trace to continue)
+   - [**Bot Score**](/bots/concepts/bot-score/)
+   - **Request Body** (for `POST`, `PUT`, and `PATCH` requests)
+   - **Skip Challenge** (skips a Cloudflare-issued [challenge](/fundamentals/security/cloudflare-challenges/), if any, allowing the trace to continue)
 
-5. Select **Send trace**.
+5. Select **Send Trace**.
 
 ### 3. Assess results
 

@@ -192,18 +192,18 @@ Drop DDoS attacks through L7 mitigation.
 
 The macro stage is comprised of many different paths. They are categorized by the reputation of the visitor IP.
 
-| EdgePathingStatus | Description                                                                                                                                                                                                                                                                  | EdgePathingOp | EdgePathingSrc |
-| ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  | ------------- | -------------- |
-| `nr`              | There is no reputation data for the IP and no action is being taken.                                                                                                                                                                                                         | `wl`          | `macro`        |
-| `wl`              | IP is explicitly allowlisted.                                                                                                                                                                                                                                                | `wl`          | `macro`        |
-| `scan`            | IP is explicitly allowlisted and categorized as a security scanner.                                                                                                                                                                                                          | `wl`          | `macro`        |
-| `mon`             | IP is explicitly allowlisted and categorized as a Monitoring Service.                                                                                                                                                                                                        | `wl`          | `macro`        |
-| `bak`             | IP is explicitly allowlisted and categorized as a Backup Service.                                                                                                                                                                                                            | `wl`          | `macro`        |
-| `mob`             | IP is explicitly allowlisted and categorized as Mobile Proxy Service.                                                                                                                                                                                                        | `wl`          | `macro`        |
-| `se`              | IP is explicitly allowlisted as it belongs to a search engine crawler and no action is taken.                                                                                                                                                                                | `wl`          | `macro`        |
-| `grey`            | IP is greylisted (suspected to be bad) but the request was either for a favicon or security is turned off and as such, it is allowlisted.                                                                                                                                    | `wl`          | `macro`        |
-| `bad_ok`          | The reputation score of the IP is bad but the request was either for a favicon or security is turned off and as such, it is allowlisted. Alternatively, the <GlossaryTooltip term="threat score">threat score</GlossaryTooltip> of the IP is in the accepted security level. | `wl`          | `macro`        |
-| `unknown`         | The `pathing_status` is unknown and the request is being processed as normal.                                                                                                                                                                                                | `wl`          | `macro`        |
+| EdgePathingStatus | Description                                                                                                                               | EdgePathingOp | EdgePathingSrc |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | -------------- |
+| `nr`              | There is no reputation data for the IP and no action is being taken.                                                                      | `wl`          | `macro`        |
+| `wl`              | IP is explicitly allowlisted.                                                                                                             | `wl`          | `macro`        |
+| `scan`            | IP is explicitly allowlisted and categorized as a security scanner.                                                                       | `wl`          | `macro`        |
+| `mon`             | IP is explicitly allowlisted and categorized as a Monitoring Service.                                                                     | `wl`          | `macro`        |
+| `bak`             | IP is explicitly allowlisted and categorized as a Backup Service.                                                                         | `wl`          | `macro`        |
+| `mob`             | IP is explicitly allowlisted and categorized as Mobile Proxy Service.                                                                     | `wl`          | `macro`        |
+| `se`              | IP is explicitly allowlisted as it belongs to a search engine crawler and no action is taken.                                             | `wl`          | `macro`        |
+| `grey`            | IP is greylisted (suspected to be bad) but the request was either for a favicon or security is turned off and as such, it is allowlisted. | `wl`          | `macro`        |
+| `bad_ok`          | The reputation score of the IP is bad but the request was either for a favicon or security is turned off and as such, it is allowlisted.  | `wl`          | `macro`        |
+| `unknown`         | The `pathing_status` is unknown and the request is being processed as normal.                                                             | `wl`          | `macro`        |
 
 ## Rate Limiting
 

@@ -37,9 +37,9 @@ The response will include the rule ID of the new rules in the `id` field.
 		rules: [
 			{
 				expression:
-					'(ip.src.country eq "GB" or ip.src.country eq "FR") or cf.threat_score > 0',
+					'(ip.src.country in {"GB" "FR"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)',
 				action: "challenge",
-				description: "challenge GB and FR or based on IP Reputation",
+				description: "challenge GB and FR based on bot score",
 			},
 			{
 				expression: 'not http.request.uri.path matches "^/api/.*$"',
@@ -62,8 +62,8 @@ The response will include the rule ID of the new rules in the `id` field.
 				"id": "<CUSTOM_RULE_ID_1>",
 				"version": "1",
 				"action": "challenge",
-				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score \u003e 0",
-				"description": "challenge GB and FR or based on IP Reputation",
+				"expression": "(ip.src.country in {\"\GB" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)",
+				"description": "challenge GB and FR based on bot score",
 				"last_updated": "2021-03-18T18:25:08.122758Z",
 				"ref": "<CUSTOM_RULE_REF_1>",
 				"enabled": true
@@ -136,8 +136,8 @@ The response will include the modified custom ruleset. Note that the updated rul
 				"id": "<CUSTOM_RULE_ID_1>",
 				"version": "1",
 				"action": "challenge",
-				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score \u003e 0",
-				"description": "challenge GB and FR or based on IP Reputation",
+				"expression": "(ip.src.country in {\"\GB" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)",
+				"description": "challenge GB and FR based on bot score",
 				"last_updated": "2021-03-18T18:25:08.122758Z",
 				"ref": "<CUSTOM_RULE_ID_1>",
 				"enabled": true

@@ -82,7 +82,7 @@ The Rules language supports these comparison operators:
         <td>❌</td>
         <td>✅</td>
         <td>
-          <code>cf.threat_score <strong>lt</strong> 10</code>
+          <code>cf.waf.score <strong>lt</strong> 10</code>
         </td>
       </tr>
       <tr>
@@ -93,7 +93,7 @@ The Rules language supports these comparison operators:
         <td>❌</td>
         <td>✅</td>
         <td>
-          <code>cf.threat_score <strong>le</strong> 20</code>
+          <code>cf.waf.score <strong>le</strong> 20</code>
         </td>
       </tr>
       <tr>
@@ -104,7 +104,7 @@ The Rules language supports these comparison operators:
         <td>❌</td>
         <td>✅</td>
         <td>
-          <code>cf.threat_score <strong>gt</strong> 25</code>
+          <code>cf.waf.score <strong>gt</strong> 25</code>
         </td>
       </tr>
       <tr>
@@ -115,7 +115,7 @@ The Rules language supports these comparison operators:
         <td>❌</td>
         <td>✅</td>
         <td>
-          <code>cf.threat_score <strong>ge</strong> 60</code>
+          <code>cf.waf.score <strong>ge</strong> 60</code>
         </td>
       </tr>
       <tr>

@@ -38,8 +38,8 @@ The response will include the complete ruleset after adding the rule.
 	json={{
 		action: "js_challenge",
 		expression:
-			'(ip.src.country eq "GB" or ip.src.country eq "FR") or cf.threat_score > 0',
-		description: "challenge GB and FR or based on IP Reputation",
+			'(ip.src.country in {"GB" "FR"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)',
+		description: "challenge GB and FR based on bot score",
 	}}
 />
 
@@ -65,8 +65,8 @@ The response will include the complete ruleset after adding the rule.
 				"id": "<NEW_RULE_ID>",
 				"version": "1",
 				"action": "js_challenge",
-				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score > 0",
-				"description": "challenge GB and FR or based on IP Reputation",
+				"expression": "(ip.src.country in {\"GB\" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)",
+				"description": "challenge GB and FR based on bot score",
 				"last_updated": "2024-06-22T12:35:58.144683Z",
 				"ref": "<NEW_RULE_REF>",
 				"enabled": true

@@ -49,8 +49,8 @@ The response will include the complete ruleset after deleting the rule.
 				"id": "<RULE_ID_2>",
 				"version": "2",
 				"action": "js_challenge",
-				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score > 0",
-				"description": "challenge GB and FR or based on IP Reputation",
+				"expression": "(ip.src.country in {\"GB\" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)",
+				"description": "challenge GB and FR based on bot score",
 				"last_updated": "2021-07-22T12:54:58.144683Z",
 				"ref": "<RULE_REF_2>",
 				"enabled": true

@@ -37,8 +37,8 @@ The response will include the complete ruleset after updating the rule.
 	json={{
 		action: "js_challenge",
 		expression:
-			'(ip.src.country eq "GB" or ip.src.country eq "FR") or cf.threat_score > 0',
-		description: "challenge GB and FR or based on IP Reputation",
+			'(ip.src.country in {"GB" "FR"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)',
+		description: "challenge GB and FR based on bot score",
 	}}
 />
 
@@ -55,8 +55,8 @@ The response will include the complete ruleset after updating the rule.
 				"id": "<RULE_ID_1>",
 				"version": "2",
 				"action": "js_challenge",
-				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score > 0",
-				"description": "challenge GB and FR or based on IP Reputation",
+				"expression": "(ip.src.country in {\"GB\" \"FR\"} and cf.bot_management.score < 20 and not cf.bot_management.verified_bot)",
+				"description": "challenge GB and FR based on bot score",
 				"last_updated": "2023-03-22T12:54:58.144683Z",
 				"ref": "<RULE_REF_1>",
 				"enabled": true

@@ -34,29 +34,28 @@ While there is not always an issue, we have seen instances where optional perfor
 
 ---
 
-## Allow IP addresses via Cloudflare Threat Control panel
+## Skip security features for specific IP addresses
 
-Log in to your Cloudflare Threat Control panel and allow IP addresses you want traffic from or expect traffic from. Some common services you probably want to allow include:
+You can use WAF custom rules to [skip certain security features](/waf/custom-rules/skip/) for IP addresses you want traffic from or expect traffic from. Some common services you probably want to allow include:
 
-- APIs you are pulling from
+- APIs you are getting data from
 - Monitoring services you use to monitor your site's uptime
 - Security services
-- IP addresses you frequently login from
+- IP addresses you frequently log in from
 
 Why do this?
 
-If Cloudflare has an IP address with a high threat score going to your site, or if you have [Cloudflare's Web Application Firewall](https://cloudflare.com/waf) turned on, you may get challenged working in your back end and/or services you want to access your site may get challenged. Taking the steps to allow in the beginning will help prevent future surprises on your site.
+If you have enabled and configured [Cloudflare's Web Application Firewall](/waf/), you may get challenged while working on your backend and/or services you want to access your site may get challenged. Taking the steps to skip certain features for requests coming from known IP addresses will help prevent issues on your site.
 
 :::note
-
-We allow all known search engine and social media crawlers in our macro list. If you decide to block specific countries, you must use care because you may end up inadvertently blocking their crawlers (blocking the USA, for example, could mean that their crawler gets challenged).
+Cloudflare allows known search engine and social media crawlers. If you decide to block specific countries, you must use care because you may end up inadvertently blocking their crawlers (blocking the USA, for example, could mean that their crawler gets challenged).
 :::
 
 ---
 
 ## Ensure requests from Cloudflare's IP ranges aren't blocked or limited
 
-If you are using services like .htaccess, firewalls or server mods to manage access to your site from visitors, it is vitally important to make sure requests from Cloudflare’s IP ranges are not being blocked or limited in any way. The number one cause of site offline issues in our support channel is something blocking or restricting requests from our IPs, so please take the time to make sure that all of Cloudflare’s IPs are allowed on your server.
+If you are using services like `.htaccess`, firewalls or server mods to manage access to your site from visitors, it is important to make sure requests from Cloudflare’s IP ranges are not being blocked or limited in any way. The number one cause of site offline issues in Cloudflare's support channel is something blocking or restricting requests from Cloudflare IPs, so please take the time to make sure that all of Cloudflare's IPs are allowed on your server.
 
 Why do this?