Cloudflare’s firewall rules can help significantly if you want to prevent illegitimate traffic to your web store. In this tutorial, we’ll show you how you can add a JavaScript execution test to determine whether a visitor is legitimate or not. Please note that Cloudflare’s firewall rules are not foolproof, but will block a large part of unwelcome traffic.

Create A Firewall Rule

Login to the Cloudflare dashboard and select your domain.

Next, click the Security category and chose WAF.

Next, click Create firewall rule:

Set your Firewall Rule

Name Your Rule

Firstly, you should name this rule such that you will be able to identify it easily in case of changes.

Create Your Expression

Secondly, you will need to create an expression for your rule. You can do this via the visual expression builder or via text. From our example:

(not ip.geoip.country in {"CA" "US"} and not cf.client.bot and not http.user_agent contains "commercebuildbot")

If you add it via text, you can then click Use expression builder to see the expression visually. In this case, all traffic outside of Canada and the U.S., as well as unknown bots (e.g. NOT Googlebot or other legitimate bots) will need to pass the browser JavaScript test before being able to access the site. If you’d like to see additional examples, check out Cloudflare’s blog post.

A user will only have to endure this check periodically.

Deploy Your Rule

If you are satisfied with the expression, you can deploy it by clicking Deploy firewall rule. It will take approximately 60 seconds to go into effect globally. To ensure the firewall rule is functioning correctly, you can review the activity log.