Cloudflare WAF Rule: Trigger CAPTCHA Only on Ampersand-Containing Search URLs
Simon Willison's Weblog·2 days ago·Tutorial
Simon Willison was frustrated that even simple single-term searches on his site were triggering Cloudflare CAPTCHA challenges meant to deter aggressive crawlers.
With help from Claude Code, he crafted a Cloudflare WAF Managed Challenge rule that activates only when a search URL contains at least one ampersand — the character that separates multiple query parameters.
The result: ordinary searches like /search/?q=lemur pass through freely, while complex faceted queries with multiple parameters still face the challenge.
