Cloudflare
DataDome Cloudflare app detects and protects against bot activity
This module is dedicated to be used on Cloudflare, using the App with Workers feature.
Before the regular Cloudflare process kicks-in, an event is triggered and processes the DataDome logic in a Workers function.
The module makes a call to the closest DataDome endpoint. Depending on the API response, the module either blocks the request or lets Cloudflare proceed with the regular process.
The module has been developed to protect the visitors' user experience: if any errors were to occur during the process, or if the timeout is reached, the module will automatically disable its blocking process and allow the regular Cloudflare process to proceed.
Prerequisites
A free trial must be started (by using the sign-up form) or an account must be enabled by a DataDome representative. The relevant Cloudflare site will be assigned a unique “API key” and “JS key”.
How to install and configure
- Connect to your Cloudflare console
- Click on "Apps" at the bottom or left-side of the console
- Click on "Explore Apps"
- Search for "DataDome"
- Click on the the app, then the "Preview on your site" button
Identify with OAuth (recommended - see the FAQ for an alternative solution):
- Click on "Login or Register" to link your existing DataDome account to your Cloudflare account or to create a new account on DataDome.
- The following panel will display, allowing you to login or SignUp.
- You can access advanced options by selecting the "Show advanced options" box.
Advanced options allow you to configure the following:
- JS Tag options: JSON object containing all the keys & values to configure the JS Tag (see JS Tag documentation)
- Change the default timeout: Response Timeout from the DataDome Server (in ms).
We recommend not to change these settings without referring to a DataDome support team first.
- Click on the 'Install on all pages' button found at the bottom of the page
Congrats! Your website is ready to be protected, at the Edge, against bot traffic!
Settings
Setting | Description | Required | Default |
---|---|---|---|
Server-side key | Your DataDome server-side key. | Yes | "" |
Timeout | Timeout for response from the DataDome Server (in ms). | No | 300 |
Static assets URI exclusion regex for Server-side detection | Ignores all matching URIs. Used for excluding traffic associated with static assets (ex: "/.js/i"). Only executed for GET and HEAD requests. The associated traffic will not be sent to DataDome for analysis. | Optional | /. (avi|flv|mka|mkv|mov|mp4|mpeg|mpg|mp3|flac|ogg |ogm|opus|wav|webm |wep|bmp|gif|ico|jpeg |jpg|png|svg|svgz|swf |eot|otf|ttf|woff|woff2|css|less|js)$/i |
URL inclusion regex for Server-side detection | Will only send traffic associated with matching URLs to DataDome. Default value matches everything. (ex. "/https:\/\/sub\.domain\.com\/my\/path/i" ) | Optional | "" |
URL exclusion regex for Server-side detection | Ignores all matching hostnames. The associated traffic will not be sent to DataDome for analysis. (ex: "/https:\/\/sub\.domain\.com\/my\/path/i" ) | Optional | "" |
IPs exclusion for server-side detection | List of IPs. The traffic sent from these IPs will not be sent to DataDome. ex: ["192.168.0.1", "192.168.0.2"] | Optional | "" |
Enable DataDome logs | If checked, some debug information about our API response is added inside a new header X-DataDome-log . | Optional - for debug purposes only | |
Client-side key | Your DataDome client-side key. | Yes | "" |
Client-side advanced options | JSON object describing JS Tag option (click here for more documentation). | No | "" |
URL exclusion regex for Client-side detection | Will not add the JS Tag to the pages matching the URL pattern. (ex: "/https:\/\/sub\.domain\.com\/my\/path/i") | Optional | "" |
URL inclusion regex for Client-side detection | Will only add the JS Tag to the pages matching the URL pattern. (ex: "/https:\/\/sub\.domain\.com\/my\/path/i" ) | Optional | "" |
Client-side tag URL | URL of the JS Tag. Change default value to include the tag as a first party. | Optional | "" |
Client-side endpoint URL | URL of the JS Tag endpoint. Change default value to include the tag as a first party. | Optional | "" |
GraphQL support . | Extract GraphQL operation name and type on request to a /graphql endpoint to improve protection | Optional | false |
How to update
- Connect to your Cloudflare console and go to the Apps section
- Click on "Your installed Apps"
- If there is a new version of DataDome available, click on "Update"
- Verify your settings
- Click on "Save changes on all pages"
- Your app is updated!
FAQ
How can I configure the listener to support AJAX calls?
As documented here, DataDome requires the configuration of a listener in order to protect AJAX calls.
To do so, the Client-side Protection Options should be configured as follow:
- Configuration of the listener for a single endpoint
{ "ajaxListenerPath" : "domain/api"}
- Configuration of the listener for multiple endpoints
{ "ajaxListenerPath" : ["domain1/api", "domain2", "domain3"] }
My Cloudflare site is rate limited when I activate DataDome module
Burst rate
Accounts using the Workers free plan are subject to a burst rate limit of 1000 requests per minute.
DataDome module relies on Cloudflare Worker technology. When used on web sites with a lot of traffic, it may trigger an internal Cloudflare limit for Workers.
This can be inspected in Cloudflare firewall events.
If you are impacted by this limitation, please contact the Cloudflare support in order to lift this limit on your account. Once you are logged in your account, select the "Support" drop-down menu.
Then once you are logged in your Cloudflare support site, select "My Activities & Requests" to access the "Submit a Request" button.
The correct section to create a support ticket is found under "Get additional help":
Create a new support ticket with a clear summary (ex: "Rate Limiting on Cloudflare app")
Fill in the description with an explanation text such as the example below:
We enabled DataDome Cloudflare app on our domain.
To make sure that Cloudflare rate limiting feature will not affect the behavior of this app (blocking subrequests to its web servers); could you please disable the rate limiting feature for all requests toward the host api-cloudflare.datadome.co?
This is a known issue regarding workers embedded in apps, that has already been handled by Cloudflare support for other DataDome customers.
Regards,
Finally, review your content and submit the ticket.
I do not want to use OAuth to login on DataDome
You can still use the API keys (supported for compatibility with older versions of the module).
- Fill in the server-side and client-side keys in the appropriate fields
- You can find the server-side and client-side keys in your dashboard

Updated 6 days ago