Skip to content

Update automatic-request-headers.mdx #26365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: production
Choose a base branch
from
Open

Update automatic-request-headers.mdx #26365

wants to merge 3 commits into from
+8 −4

Conversation

@kathayl
Copy link
Contributor

@kathayl kathayl commented Nov 7, 2025

update
-web bot auth links
-how to make WAF skip rule

Summary

Screenshots (optional)

Documentation checklist

  • Is there a changelog entry (guidelines)? If you don't add one for something awesome and new (however small) — how will our customers find out? Changelogs are automatically posted to RSS feeds, the Discord, and X.
  • The change adheres to the documentation style guide.
  • If a larger change - such as adding a new page- an issue has been opened in relation to any incorrect or out of date information that this PR fixes.
  • Files which have changed name or location have been allocated redirects.

@kathayl
Update automatic-request-headers.mdx
2b959e7 
update 
-web bot auth links
-how to make WAF skip rule
@kathayl kathayl requested review from a team, ToriLindsay, celso and mchenco as code owners November 7, 2025 00:36
@github-actions
Copy link
Contributor

github-actions bot commented Nov 7, 2025

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern Owners
/src/content/docs/browser-rendering/ @mchenco, @cloudflare/pcx-technical-writing, @celso, @danielgek, @kathayl, @ToriLindsay

@kathayl
Update faq.mdx
9b5fb11 
update faq to point to allowlist instructions
@github-actions
Copy link
Contributor

github-actions bot commented Nov 7, 2025
edited
Loading

Preview URL: https://d26687da.preview.developers.cloudflare.com
Preview Branch URL: https://kathayl-patch-20.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link Updated Link
https://developers.cloudflare.com/browser-rendering/reference/automatic-request-headers/ https://kathayl-patch-20.preview.developers.cloudflare.com/browser-rendering/reference/automatic-request-headers/
https://developers.cloudflare.com/browser-rendering/faq/ https://kathayl-patch-20.preview.developers.cloudflare.com/browser-rendering/faq/

Refaerds
Refaerds reviewed Nov 7, 2025
View reviewed changes
src/content/docs/browser-rendering/reference/automatic-request-headers.mdx Outdated
The `Signature` headers use an authentication method called [Web Bot Auth](/bots/reference/bot-verification/web-bot-auth/). Web Bot Auth leverages cryptographic signatures in HTTP messages to verify that a request comes from an automated bot. To verify a request originated from Cloudflare Browser Rendering, use the keys found on [this directory](https://web-bot-auth.cloudflare-browser-rendering-085.workers.dev/.well-known/http-message-signatures-directory) to verify the `Signature` and `Signature-Input` found in the headers from the incoming request. A successful verification proves that the request originated from Cloudflare Browser Rendering and has not been tampered with in transit.

### Allowlist Browser Rendering with Web Bot Auth
If you need Browser Rendering to access resources on **your own zone** that’s protected by Cloudflare's Bot Protection, create a [WAF skip rule](/waf/custom-rules/skip/) that matches the **Web Bot Auth** `Signature-agent` to the **domain only**: `web-bot-auth.cloudflare-browser-rendering-085.workers.dev`, and require the presence of `Signature` and `Signature-Input`.
Copy link
Contributor

@Refaerds Refaerds Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's not clear enough. The value of the Signature-Agent header is "https://web-bot-auth.cloudflare-browser-rendering-085.workers.dev" with quotes included. So either we use this value here, or clarify that header must include web-bot-auth.cloudflare-browser-rendering-085.workers.dev

Copy link
Contributor Author

@kathayl kathayl Nov 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated copy to include this highlighted part of your feedback. but not sure how to do the latter feedback

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mchenco mchenco Awaiting requested review from mchenco mchenco is a code owner

@celso celso Awaiting requested review from celso celso is a code owner

@ToriLindsay ToriLindsay Awaiting requested review from ToriLindsay ToriLindsay is a code owner

1 more reviewer

@Refaerds Refaerds Refaerds left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@celso celso

@danielgek danielgek

@mchenco mchenco

@ToriLindsay ToriLindsay

Labels

November 2025 product:browser-rendering size/xs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@kathayl @Refaerds @celso @danielgek @mchenco @ToriLindsay