Cloudflare CAPTCHA on at least one ampersand

Simon Willison · Simon Willison · 2026-06-16

Simon Willison documents a Cloudflare WAF rule that triggers CAPTCHA challenges only on search URLs containing ampersands, preventing false positives on simple queries while still blocking aggressive crawlers, and notes that the Cloudflare MCP could not edit these rules directly.

Open original ↗

Appears in

Simon Willison's AI-Augmented Datasette Ecosystem: Agent, Apps, and Plugins

Extraction

Topics: cloudflareweb-application-firewallcaptchamodel-context-protocolclaude-code

Claims

A Cloudflare WAF custom rule can scope CAPTCHA challenges to URLs that match a path pattern AND contain an ampersand, avoiding false positives on single-term searches.
The Cloudflare MCP integration with Claude Code could not edit WAF rules, requiring a fallback to the Cloudflare API.
The rule `(http.request.uri.path wildcard r"/search/*" and http.request.uri.query contains "&")` correctly distinguishes faceted search requests from simple queries.

Key quotes

(http.request.uri.path wildcard r"/search/*" and http.request.uri.query contains "&")

it turns out you can register the following rule instead, so the CAPTCHA only kicks in for search URLs containing at least one ampersand