When it comes to securing websites, Cloudflare provides a variety of protection tools, one of which is the Browser Integrity Check (BIC). This feature ensures that incoming traffic is legitimate by analyzing HTTP headers and blocking suspicious or bot-generated requests. However, there are instances when you might need to exclude certain Autonomous System Numbers (ASNs) from this check. For example, you may want to allow traffic from trusted sources, such as cloud service providers or specific business partners, without enforcing the Browser Integrity Check. This guide will walk you through why and how you might exclude ASNs from Cloudflare’s Browser Integrity Check, helping you tailor your security setup to your website’s needs.
Understanding Browser Integrity Check (BIC)
Cloudflare’s Browser Integrity Check is a security feature designed to help identify malicious traffic from bots or non-browser requests. When enabled, it inspects HTTP headers like User-Agent and Referer to ensure they match typical patterns of legitimate browsers. If a request fails this check, Cloudflare can block or challenge the request, improving your site’s defense against attacks. However, this check may sometimes mistakenly flag legitimate users, especially those from trusted ASNs. In such cases, excluding specific ASNs from the check can help maintain a balance between security and accessibility.
7 Key Benefits of Excluding ASNs from BIC
- Improves access for trusted cloud providers
- Reduces false positives from legitimate traffic
- Ensures smooth integration with business partners
- Prevents unnecessary challenges for internal users
- Enhances user experience for known sources
- Streamlines traffic from critical third-party services
- Helps maintain website performance
Why Exclude ASNs from Browser Integrity Check?
Excluding ASNs from Cloudflare’s Browser Integrity Check is especially useful when you trust the origin of traffic and want to avoid unnecessary security challenges. For instance, services such as Amazon Web Services (AWS), Google Cloud, or Microsoft Azure host a large portion of global traffic. These cloud platforms are widely used by businesses, and blocking or challenging traffic from these ASNs can lead to slowdowns or interruptions in service. Additionally, it can prevent legitimate users from accessing your website. By whitelisting or excluding these ASNs, you allow trusted traffic to flow smoothly while retaining protection against other potential threats.
7 Scenarios Where Exclusion is Beneficial
- When your website uses cloud hosting platforms for services
- When trusted third-party applications access your site
- When you want to minimize traffic delays from internal sources
- When ensuring a seamless connection with business affiliates
- When you’ve verified the legitimacy of the ASN
- When there are known issues with false positives from specific sources
- When excluding ASNs reduces unnecessary traffic challenges
How to Exclude ASNs from Browser Integrity Check
Excluding specific ASNs from Cloudflare’s Browser Integrity Check is relatively straightforward and can be done via Firewall Rules. You can create a rule that identifies traffic from specific ASNs and bypasses the BIC. First, navigate to the Firewall section in the Cloudflare dashboard. Next, create a rule that matches the desired ASN and sets the action to “Allow” or “Bypass.” This allows traffic from these trusted sources to bypass the integrity check, ensuring smoother communication and fewer false positives.
| Step | Action | Details |
|---|---|---|
| 1 | Login to Cloudflare | Access your Cloudflare account |
| 2 | Create a Firewall Rule | Go to the Firewall section and click on ‘Create a Firewall Rule’ |
| 3 | Set ASN Parameters | Specify ASN in the rule’s conditions |
Considerations for Excluding ASNs
While excluding ASNs can improve traffic flow, it’s important to do so with caution. Allowing certain ASNs to bypass the Browser Integrity Check may expose your website to some security risks, particularly if an ASN is compromised. Always ensure that the ASNs you are excluding are well-known and trustworthy. Additionally, consider implementing other security layers like rate-limiting or bot mitigation to offset the risks associated with bypassing the Browser Integrity Check. Finally, regularly review the traffic from these ASNs to ensure that no unusual activity is occurring.
7 Important Factors to Consider Before Excluding ASNs
- Ensure the ASN is trusted and reputable
- Regularly monitor traffic from excluded ASNs
- Implement additional security measures for excluded traffic
- Understand the risk of allowing unchecked traffic
- Perform thorough vetting of third-party service providers
- Ensure compatibility with your existing security infrastructure
- Update your firewall rules as traffic patterns evolve
Integrating Excluded ASNs with Other Security Measures
Even when you exclude ASNs from the Browser Integrity Check, it’s essential to integrate other security measures to protect your website. For example, Cloudflare offers rate-limiting features, which allow you to set limits on requests from specific IPs or ASNs. This can help mitigate potential attacks even if you’re not challenging certain traffic. You can also rely on Cloudflare’s DDoS protection to safeguard your website from high-volume malicious traffic. By using these complementary features alongside ASN exclusions, you can create a more comprehensive and secure traffic management system.
Testing Your ASN Exclusions
Once you’ve set up exclusions for certain ASNs, it’s important to test their functionality. Ensure that traffic from the excluded ASNs flows smoothly without being challenged by the Browser Integrity Check. You can use Cloudflare’s analytics and traffic logs to monitor the results of your changes. Additionally, perform manual testing by simulating traffic from trusted ASNs to confirm that it is bypassing the integrity check as intended. Regular testing ensures that the exclusion is working correctly and that your website remains both secure and accessible.
“Efficiently excluding trusted ASNs from Cloudflare’s Browser Integrity Check can enhance your website’s performance without compromising security.”
By excluding specific ASNs from the Browser Integrity Check, you can streamline traffic from trusted sources and ensure a smoother experience for users. However, it’s crucial to carefully manage and monitor these exclusions to maintain your website’s security. Use Cloudflare’s features such as rate-limiting and DDoS protection to complement exclusions, reducing any potential risks. Take time to review your website’s security setup regularly, ensuring that only trusted ASNs are bypassing security measures. Share this information with your team to help improve your site’s efficiency, and don’t forget to regularly check Cloudflare’s logs for any anomalies.