cloudflare · kathayl · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025
@@ -31,7 +31,7 @@ Not yet. Local development currently has the following limitation(s):
 
 No, Browser Rendering requests are always identified as bots by Cloudflare and do not bypass Bot Protection.
 
-If you are attempting to scan your **own zone** and need Browser Rendering to access areas protected by Cloudflare’s Bot Protection, you can create a [WAF skip rule](/waf/custom-rules/skip/) to bypass the bot protection using a header or a custom user agent.
+If you are attempting to scan your **own zone** and need Browser Rendering to access areas protected by Cloudflare’s Bot Protection, you can create a [WAF skip rule](/waf/custom-rules/skip/) that matches Browser Rendering's Web Bot Auth signature headers. See [Allowlist Browser Rendering with Web Bot Auth](/browser-rendering/reference/automatic-request-headers/#allowlist-browser-rendering-with-web-bot-auth) for steps.
 
 ### Does Browser Rendering rotate IP addresses for outbound requests?
 

@@ -16,9 +16,13 @@ These headers are meant to ensure transparency and cannot be removed or overridd
 | Header               | Description                                                                         |
 | -------------------- | ----------------------------------------------------------------------------------- |
 | `cf-brapi-request-id` | A unique identifier for the Browser Rendering request when using the [REST API](/browser-rendering/rest-api/)                           |
-| `cf-brapi-devtools` | A unique identifier for the Browser Rendering request when using [Workers Bindings](/browser-rendering/workers-bindings/)             |
-| `cf-biso-devtools`   | A flag indicating the request originated from Cloudflare's rendering infrastructure |
-| `Signature-agent`    | [The location of the bot public keys](https://web-bot-auth.cloudflare-browser-rendering-085.workers.dev), used to sign the request and verify it came from Cloudflare                                       |
+| `cf-biso-request-id` | A unique identifier for the Browser Rendering request when using [Workers Bindings](/browser-rendering/workers-bindings/)             |
+| `cf-brapi-devtools`   | A flag indicating the request originated from Cloudflare's rendering infrastructure |
+| `Signature-agent`    | [The location of the bot public keys](https://web-bot-auth.cloudflare-browser-rendering-085.workers.dev/.well-known/http-message-signatures-director), used to sign the request and verify it came from Cloudflare                                       |
 | `Signature` and `Signature-input`| A digital signature, used to validate requests, as shown in [this architecture document](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture)                     |
 
+### About Web Bot Auth
 The `Signature` headers use an authentication method called [Web Bot Auth](/bots/reference/bot-verification/web-bot-auth/). Web Bot Auth leverages cryptographic signatures in HTTP messages to verify that a request comes from an automated bot. To verify a request originated from Cloudflare Browser Rendering, use the keys found on [this directory](https://web-bot-auth.cloudflare-browser-rendering-085.workers.dev/.well-known/http-message-signatures-directory) to verify the `Signature` and `Signature-Input` found in the headers from the incoming request. A successful verification proves that the request originated from Cloudflare Browser Rendering and has not been tampered with in transit.
+
+### Allowlist Browser Rendering with Web Bot Auth
+If you need Browser Rendering to access resources on **your own zone** that's protected by Cloudflare's Bot Protection, create a [WAF skip rule](/waf/custom-rules/skip/) that matches the **Web Bot Auth** `Signature-agent` header to `"https://web-bot-auth.cloudflare-browser-rendering-085.workers.dev"` (with quotes included), and require the presence of `Signature` and `Signature-Input` headers.