Three minutes from idea to enforcement.
Rules live in your dashboard, version-controlled with a full audit trail. Edits propagate to every site within seconds.
Define conditions
Combine IP, CIDR, ASN, country, user-agent regex, bot category, score range, request path, or referer with AND / OR logic.
Pick an action
Allow, log, throttle, challenge (CAPTCHA / PoW), redirect, or block. Set TTL per rule for time-boxed enforcement.
Watch it work
Every match is logged with full context — score, signals, geo, ASN — so you can audit and tune without guessing.
A targeted scraper rule, in plain English.
Block requests that are clearly a competitor scraping product data from AWS, using python-requests, and already flagged as bot — but only on the products API.
- NetworkASN 14618 — Amazon AWSmatch
- Requestpath matches ^/api/v1/products/.*match
- Identityuser-agent contains 'python-requests'match
- Identityscore >= 0.70match
- ActionCapped at 1.0 — blockedBLOCK
12 ways to identify a request.
Mix and match. Every condition is indexed so even complex AND / OR trees evaluate in the same low-millisecond budget.
Single IP or comma-separated list. Matches exact.
IPv4 + IPv6 supported. Subnet matching at line speed.
Match by autonomous system number — block entire datacenter or proxy network.
ISO-3166 country code. Geolocation cached, refreshed weekly.
Exact match, contains, or regex. Anchor with ^ and $ for tight matching.
ai_crawler · scraper · seo · social · monitoring · search · custom.
Threshold comparison. e.g. score >= 0.7 captures bots, score < 0.3 captures verified humans.
rDNS-confirmed identity (Googlebot, Bingbot, Applebot). Separate from claimed UA.
Glob or regex match against URL path. Combine with method for tight scoping.
GET, POST, PUT, DELETE, etc. Lock down write endpoints separately.
Match origin domain. Useful for hotlink protection + scraper detection.
Match any HTTP header by name + value. Detect framework signatures.
Pick the right response.
A hard block isn't always right. Throttle abusive crawlers, challenge ambiguous traffic, log new rules before flipping them live.
Allow
Explicit allow-list. Bypasses all downstream rules. Useful for verified bots + internal tools.
Log only
Mark the request but don't intercept. Build confidence in a rule before flipping it to block.
Throttle
Reduce request rate per IP / ASN. Configurable RPS, burst, and backoff curve.
Challenge
Issue CAPTCHA, proof-of-work, or Cloudflare Turnstile. Human passes silently, bot stalls.
Redirect
302 to a honeypot, paywall, or robots.txt explanation. Useful for paid AI-crawler flows.
Block
Hard 403. Returns a custom message or template. Logged with full request context.