Website owners today face an evolving mix of automated traffic, from harmless crawlers to aggressive bot attacks and full-scale DDoS campaigns. Cloudflare provides multiple security modes to help detect, mitigate, and block these threats. Two of the most commonly misunderstood features are Bot Fight Mode and Under Attack Mode.
Both are designed to protect your site, but they serve very different purposes. Knowing when to enable each mode, how they work under the hood, and what impact they have on legitimate users is essential for maintaining performance, security, and user experience.
This guide breaks down Cloudflare Bot Fight Mode vs Under Attack Mode in practical terms so you can choose the right protection for your domain.
1. What Cloudflare Bot Fight Mode Is Designed to Do
Bot Fight Mode is Cloudflare’s lightweight bot protection feature built into its dashboard. It focuses specifically on identifying and mitigating automated bot traffic before it reaches your application.
The system uses behavioral analysis, IP reputation, and request patterns to detect malicious bots. Once identified, these bots can be blocked, challenged, or filtered automatically, depending on your configuration. Bot Fight Mode is primarily aimed at stopping scraping, credential stuffing, brute-force attempts, and basic bot attacks.
Cloudflare’s Bot Fight Mode is particularly effective against common, known bots that attempt to bypass basic security rules. It works at the network edge and integrates with Cloudflare’s broader bot management and firewall policies, helping site owners reduce bot traffic without requiring complex configuration.
How Bot Fight Mode Works
When Bot Fight Mode is enabled, Cloudflare automatically evaluates incoming traffic using its bot detection engine. Suspicious requests are matched against known bot signatures and behavior patterns. If a request is identified as automated and malicious, Cloudflare can block it outright or apply a JavaScript challenge to verify whether the visitor is a real browser.
For many sites, this mode provides “set it and forget it” protection. It does not usually interrupt legitimate users, and it does not require visitors to complete visible challenges unless the traffic is clearly suspicious.
When Bot Fight Mode Is Most Effective
Bot Fight Mode is best for ongoing, everyday bot protection. If your site experiences scraping, automated form submissions, or persistent low-level bot traffic, this mode can significantly reduce unwanted activity while preserving a smooth experience for real visitors.
It is also a good fit for sites that rely on APIs, client-side JavaScript, or modern web applications, because it filters malicious bots without introducing aggressive security challenges.
2. What Under Attack Mode Is Designed to Do
Under Attack Mode, sometimes referred to as UAM, is a defensive posture intended for extreme scenarios, such as active DDoS attacks or sudden surges of malicious traffic that threaten site availability.
Unlike Bot Fight Mode, which targets bots selectively, Under Attack Mode treats almost all incoming traffic as potentially hostile. Cloudflare places a JavaScript challenge in front of every visitor to verify that the client is a legitimate browser before allowing access to the site.
This mode is designed to protect your domain when your infrastructure is at risk of being overwhelmed. It prioritizes availability and security over user experience.
How Under Attack Mode Works
When you enable Under Attack Mode in the Cloudflare dashboard, Cloudflare immediately begins challenging visitors at the edge. Each user must pass a browser-based JavaScript challenge before accessing the application. Bots that cannot execute JavaScript or fail the challenge are blocked.
This approach dramatically reduces the volume of traffic that reaches your origin server. It mitigates DDoS attacks by filtering out non-human traffic before it can consume bandwidth, server resources, or API capacity.
When Under Attack Mode Is Appropriate
Under Attack Mode is meant for emergency use. It is most effective when your site is experiencing a sudden spike in malicious traffic, bot floods, or distributed denial-of-service attacks that threaten uptime.
Because it introduces friction for every visitor, it is not ideal for day-to-day protection. Legitimate users may experience delays, failed connections, or incompatibilities with certain browsers, applications, or API clients.
3. Core Differences in Purpose and Scope
The fundamental difference between Bot Fight Mode and Under Attack Mode lies in scope and aggressiveness.
Bot Fight Mode focuses on identifying and blocking malicious bot traffic while allowing legitimate users to pass through with minimal friction. It is selective, automated, and designed to operate continuously without disrupting normal traffic patterns.
Under Attack Mode, by contrast, is a blunt but powerful security tool. It assumes that the site is under active attack and applies a universal challenge to all incoming traffic. This makes it extremely effective against large-scale bot attacks and DDoS campaigns, but also more disruptive.
In short, Bot Fight Mode is proactive and precise. Under Attack Mode is reactive and defensive.
4. Impact on User Experience and Traffic
Bot Fight Mode and Legitimate Users
For most visitors, Bot Fight Mode is invisible. Real users with standard browsers are not challenged, and page loads, SSL handshakes, and API requests proceed normally. Cloudflare’s detection engine filters bot traffic without requiring user interaction in most cases.
This makes Bot Fight Mode well suited for applications where user experience is critical, such as e-commerce sites, SaaS platforms, and content-driven domains.
Under Attack Mode and Legitimate Users
Under Attack Mode significantly alters the user experience. Every visitor must complete a JavaScript challenge before accessing your site. While most modern browsers can handle this, it introduces additional latency and may block some legitimate clients, such as older browsers, certain automated integrations, or non-JavaScript environments.
For high-traffic sites, this can result in reduced conversions, frustrated users, and increased support requests. However, during a DDoS attack, preserving site availability often outweighs these drawbacks.
5. Security, Configuration, and Automation
Integration with Cloudflare’s Security Stack
Both modes integrate with Cloudflare’s broader application security features, including the WAF, IP access rules, firewall rules, TLS, and bot management analytics. You can combine these tools to create layered protection.
For example, you might use Bot Fight Mode for baseline bot protection, then apply custom firewall rules to block specific IP addresses, countries, or user agents. If a severe attack occurs, you can temporarily switch to Under Attack Mode to mitigate traffic at scale.
Automation and Policy Management
Bot Fight Mode operates largely automatically. Cloudflare’s detection systems identify malicious bots and apply appropriate actions without manual intervention. This makes it suitable for long-term protection.
Under Attack Mode is typically enabled manually through the dashboard or API. It is a tactical response, not a standing policy. Some enterprise customers automate this mode based on traffic thresholds or analytics, but it is still intended as a short-term defense.
6. Choosing the Right Mode for Your Site
The choice between Bot Fight Mode and Under Attack Mode depends on your threat level, performance requirements, and tolerance for user friction.
If your site experiences routine bot traffic, scraping, or low-volume attacks, Bot Fight Mode provides effective, automated protection with minimal impact on legitimate users. It helps maintain security without disrupting normal operations.
If your site is under active DDoS attack, suffering from overwhelming bot traffic, or at risk of downtime, Under Attack Mode is the appropriate response. It prioritizes availability and blocks malicious traffic aggressively, even at the cost of some usability.
Many Cloudflare customers use both modes strategically: Bot Fight Mode as a default layer of defense, and Under Attack Mode as an emergency switch when conditions demand it.
FAQs About Cloudflare Bot Fight Mode vs Under Attack Mode
What is the main difference between Bot Fight Mode and Under Attack Mode?
Bot Fight Mode selectively identifies and blocks malicious bots while allowing legitimate users through. Under Attack Mode challenges all visitors to protect the site during severe attacks, such as DDoS incidents.
Does Bot Fight Mode block all bots?
No. Bot Fight Mode focuses on malicious bot traffic. Known good bots, such as search engine crawlers, are typically allowed, while harmful bots are blocked or challenged.
Will Under Attack Mode affect real users?
Yes. Under Attack Mode places a JavaScript challenge in front of every visitor. While it is effective for security, it can slow down access and may block some legitimate clients.
Can I use both modes together?
Yes. Many site owners use Bot Fight Mode as a baseline for everyday protection and enable Under Attack Mode temporarily during major attacks.
When should I disable Under Attack Mode?
Once the attack subsides and traffic returns to normal patterns, it is best to disable Under Attack Mode to restore a smoother user experience and avoid unnecessary challenges for legitimate visitors.
Conclusion of Cloudflare Bot Fight Mode vs Under Attack Mode
Cloudflare Bot Fight Mode and Under Attack Mode serve distinct but complementary roles in website security. Bot Fight Mode offers ongoing, automated protection against malicious bots with minimal impact on users. Under Attack Mode provides a powerful, last-resort defense when your site is under serious threat.
Understanding the differences allows you to deploy the right tool at the right time. By using Bot Fight Mode for daily protection and reserving Under Attack Mode for emergency situations, you can balance security, performance, and user experience while keeping your site resilient against both routine bot traffic and large-scale attacks.
