Cloudflare seems to have classified Firefox as suspicious.


According to Cloudflare’s reaction, this is a customer-specific restriction rather than a universal one. They did not specify what type of rule is causing this behavior.

Cloudflare’s anti-bot defense seems to have tagged Firefox as “suspicious.” When you visit certain websites housed on Cloudflare’s CDN and use this service, Firefox returns a Javascript challenge.

This is how it appears:

You may put it to the test yourself: Navigate to, a software review website. The site’s content will be shown if you use Chrome or Edge. However, if you use Firefox, you will very certainly be offered the challenge instead (make sure to clear cookies before). This essentially implies that you must have JS enabled in order to view the site, and there will be a 2-3 second wait before the content is provided.

This is hardly a promising future for the open-source browser. If this practice is adopted by additional sites, we may anticipate even more people to abandon Firefox since every online visit would take a few seconds longer.

It also makes no sense from a technological viewpoint. I don’t understand why we should “suspect” Firefox of being a bot. Chrome is most likely being used for site scraping at a significantly greater rate thanks to initiatives like Puppeteer.

To be clear, I do not think Cloudflare’s action is purposeful. They use a mix of TLS fingerprinting and HTTP fingerprinting to determine the browser you are using (on which I might write an extended explanation later on). Cloudflare, I assume, whitelists the signatures of browsers with a significant enough market share, and Firefox happens to be below that barrier. Even if this is the case, I anticipate Cloudflare aggressively whitelisting Firefox. Open-source browsers are an integral aspect of the web and should be regarded the same as their closed-source equivalents.



According to contacts feed back in this post.

While we can’t comment on the specifics of any customer configuration, we do not block or challenge Firefox by default—either with our Bot Management products or with any other L7 security controls.

You can confirm this by signing up a free zone and making a request from Firefox.


You’re saying there’s not a simplistic “block Firefox rule” right? But, the user agent is surely one of the weighted features going into your ML stew. So it’s plausible the poster is seeing that Firefox sends some calculation over the edge and causes blocking for them.

That is, you’re not saying “Firefox doesn’t change the scoring at all”, right?


To add, without knowing the homepage firewall rule g2 has set up, we won’t know exactly what sort of rules is triggering this, although the most likely signals they’re using are either bot scores[0] or threat scores[0].




Appreciate the speculation, but using Firefox does not increase your likelihood of being flagged as a bot nor does it increase your threat score.



This is yet another example why using Cloudflare products is a really bad idea.





Can customers configure Firefox as one of the criteria for a challenge?



Leave A Reply

Please enter your comment!
Please enter your name here