DataDome Cloudflare app detects and protects against bot activity

This module is dedicated to be used on Cloudflare, using the App with Workers feature.

Before the regular Cloudflare process kicks-in, an event is triggered and processes the DataDome logic in a Workers function.
The module makes a call to the closest DataDome endpoint. Depending on the API response, the module either blocks the request or lets Cloudflare proceed with the regular process.

The module has been developed to protect the visitors' user experience: if any errors were to occur during the process, or if the timeout is reached, the module will automatically disable its blocking process and allow the regular Cloudflare process to proceed.


A free trial must be started (by using the sign-up form) or an account must be enabled by a DataDome representative. The relevant Cloudflare site will be assigned a unique “API key” and “JS key”.

How to install and configure

  1. Connect to your Cloudflare console
  2. Click on "Apps" at the bottom or left-side of the console

  1. Click on "Explore Apps"
  2. Search for "DataDome"
  3. Click on the the app, then the "Preview on your site" button

Identify with OAuth (recommended - see the FAQ for an alternative solution):

  1. Click on "Login or Register" to link your existing DataDome account to your Cloudflare account or to create a new account on DataDome.

  1. The following panel will display, allowing you to login or SignUp.

  1. You can access advanced options by selecting the "Show advanced options" box.
    Advanced options allow you to configure the following:
  • JS Tag options: JSON object containing all the keys & values to configure the JS Tag (see JS Tag documentation)
  • Change the default timeout: Response Timeout from the DataDome Server (in ms).
    We recommend not to change these settings without referring to a DataDome support team first.
  1. Click on the 'Install on all pages' button found at the bottom of the page

Congrats! Your website is ready to be protected, at the Edge, against bot traffic!


Server-side keyYour DataDome server-side key.Yes""
TimeoutTimeout for response from the DataDome Server (in ms).No300
Static assets URI exclusion regex for Server-side detectionIgnores all matching URIs. Used for excluding traffic associated with static assets (ex: "/.js/i"). Only executed for GET and HEAD requests. The associated traffic will not be sent to DataDome for analysis.Optional/.
URL inclusion regex for Server-side detectionWill only send traffic associated with matching URLs to DataDome. Default value matches everything.
(ex. "/https:\/\/sub\.domain\.com\/my\/path/i")
URL exclusion regex for Server-side detectionIgnores all matching hostnames.
The associated traffic will not be sent to DataDome for analysis.
(ex: "/https:\/\/sub\.domain\.com\/my\/path/i")
IPs exclusion for server-side detectionList of IPs. The traffic sent from these IPs will not be sent to DataDome.
ex: ["", ""]
Enable DataDome logsIf checked, some debug information about our API response is added inside a new header X-DataDome-log.Optional - for debug purposes only
Client-side keyYour DataDome client-side key.Yes""
Client-side advanced optionsJSON object describing JS Tag option (click here for more documentation).No""
URL exclusion regex for Client-side detectionWill not add the JS Tag to the pages matching the URL pattern.
(ex: "/https:\/\/sub\.domain\.com\/my\/path/i")
URL inclusion regex for Client-side detectionWill only add the JS Tag to the pages matching the URL pattern.
(ex: "/https:\/\/sub\.domain\.com\/my\/path/i")
Client-side tag URLURL of the JS Tag. Change default value to include the tag as a first party.Optional""
Client-side endpoint URLURL of the JS Tag endpoint. Change default value to include the tag as a first party.Optional""
GraphQL support . Extract GraphQL operation name and type on request to a /graphql endpoint to improve protectionOptionalfalse

How to update

  1. Connect to your Cloudflare console and go to the Apps section
  2. Click on "Your installed Apps"
  3. If there is a new version of DataDome available, click on "Update"

  1. Verify your settings
  2. Click on "Save changes on all pages"
  3. Your app is updated!


How can I configure the listener to support AJAX calls?

As documented here, DataDome requires the configuration of a listener in order to protect AJAX calls.

To do so, the Client-side Protection Options should be configured as follow:

  • Configuration of the listener for a single endpoint
{ "ajaxListenerPath" : "domain/api"}
  • Configuration of the listener for multiple endpoints
{ "ajaxListenerPath" : ["domain1/api", "domain2", "domain3"] }

My Cloudflare site is rate limited when I activate DataDome module


Burst rate

Accounts using the Workers free plan are subject to a burst rate limit of 1000 requests per minute.

DataDome module relies on Cloudflare Worker technology. When used on web sites with a lot of traffic, it may trigger an internal Cloudflare limit for Workers.
This can be inspected in Cloudflare firewall events.

If you are impacted by this limitation, please contact the Cloudflare support in order to lift this limit on your account. Once you are logged in your account, select the "Support" drop-down menu.

Then once you are logged in your Cloudflare support site, select "My Activities & Requests" to access the "Submit a Request" button.

The correct section to create a support ticket is found under "Get additional help":

Create a new support ticket with a clear summary (ex: "Rate Limiting on Cloudflare app")

Fill in the description with an explanation text such as the example below:


We enabled DataDome Cloudflare app on our domain.

To make sure that Cloudflare rate limiting feature will not affect the behavior of this app (blocking subrequests to its web servers); could you please disable the rate limiting feature for all requests toward the host

This is a known issue regarding workers embedded in apps, that has already been handled by Cloudflare support for other DataDome customers.


Finally, review your content and submit the ticket.

I do not want to use OAuth to login on DataDome

You can still use the API keys (supported for compatibility with older versions of the module).

  • Fill in the server-side and client-side keys in the appropriate fields
  • You can find the server-side and client-side keys in your dashboard