Blog

Cloudflare Bot Fight Mode: JavaScript challenges, CORS, and API traffic from first-party SPAs

Aggressive bot modes may interfere with automated tests; allowlist CI egress IPs or use staging zones.

Published: 2026-10-20Updated: 2026-10-221 min read

cloudflarebotscors

Workers integration

Run CORS logic in Workers before returning challenge pages so legitimate SPAs get clear errors.

Use Workers KV for dynamic allowlists when partner IPs rotate frequently.

Native apps are not browsers—do not assume Bot Management interacts with them like CORS.

Document separate attestation flows for iOS App Attest versus web sessions.