Cloudflare WAF Rule: Trigger CAPTCHA Only on Ampersand-Containing Search URLs
Original: Cloudflare CAPTCHA on at least one ampersand
Simon Willison shares a Cloudflare WAF rule that limits CAPTCHA challenges to multi-parameter search URLs containing ampersands.
Simon Willison was frustrated that even simple single-term searches on his site were triggering Cloudflare CAPTCHA challenges meant to deter aggressive crawlers. With help from Claude Code, he crafted a Cloudflare WAF Managed Challenge rule that activates only when a search URL contains at least one ampersand — the character that separates multiple query parameters. The result: ordinary searches like /search/?q=lemur pass through freely, while complex faceted queries with multiple parameters still face the challenge.
Simon Willison published a short but practical TIL (Today I Learned) post describing how he refined his Cloudflare Web Application Firewall (WAF) configuration to reduce unnecessary friction for legitimate users of his site's search feature.
Free shows the 3-line summary; Pro unlocks the full deep summary (~300 words) so you never have to click through.
See Pro plans →Want the original English / full article?
Read on Simon Willison's Weblog →Summaries are AI-generated; the original article is authoritative.