DataDome Cloudflare app detects and protects against bot activity

This module is dedicated to be used on Cloudflare, using the App with Workers feature.

Before the regular Cloudflare process kicks-in, an event is triggered and processes the DataDome logic in a Workers function.
The module makes a call to the closest DataDome endpoint. Depending on the API response, the module either blocks the request or lets Cloudflare proceed with the regular process.

The module has been developed to protect the visitors' user experience: if any errors were to occur during the process, or if the timeout is reached, the module will automatically disable its blocking process and allow the regular Cloudflare process to proceed.


A free trial must be started (by using the sign-up form) or an account must be enabled by a DataDome representative. The relevant Cloudflare site will be assigned a unique “API key” and “JS key”.

How to install and configure

  1. Connect to your Cloudflare console and go to the Apps section
  2. Click on "Explore Apps"
  3. Search for "DataDome"
  1. Click on the the app, then the "Preview on your site" button

Identify with OAuth (recommended - see the FAQ for an alternative solution):

  1. Click on "Login or Register" to link your existing DataDome account to your Cloudflare account or to create a new account on DataDome.
  1. The following panel will display, allowing you to login or SignUp.
  1. You can access advanced options by selecting the "Show advanced options" box.
    Advanced options allow you to configure the following:
  • JS Tag options: JSON object containing all the keys & values to configure the JSTag (see JSTag documentation)
  • Change the default timeout: Response Timeout from the DataDome Server (in ms).
    We recommend not to change these settings without referring to a DataDome support team first.
  1. Click on the 'Install on all pages' button found at the bottom of the page

Congrats! Your website is ready to be protected, at the Edge, against bot traffic!






Server-side key

Your DataDome server-side key




Timeout for response from the DataDome Server (in ms)



Static assets URI exclusion regex for Server-side detection

Ignores all matching URIs. Used for excluding traffic associated with static assets (ex: "/.js/i"). Only executed for GET and HEAD requests. The associated traffic will not be sent to DataDome for analysis.


static assets regex

URL inclusion regex for Server-side detection

Will only send traffic associated with matching URLs to DataDome. Default value matches everything.
(ex. "/^/(login|register)$/")



URL exclusion regex for Server-side detection

Ignores all matching hostnames.
The associated traffic will not be sent to DataDome for analysis.
(ex: "/")



Client-side key

Your DataDome client-side key



Client-side advanced options

JSON object describing JStag option (click here for more documentation)



URL exclusion regex for Client-side detection

The associated traffic matching the URL pattern, will not be sent to DataDome for analysis.
(ex: "/routeToExclude//i")

Client-side tag URL

URL of the JS tag. Change default value to include the tag as a first party.



Client-side endpoint URL

URL of the JS tag endpoint. Change default value to include the tag as a first party.



IPs exclusion for server-side detection

List of IPs. The traffic sent from these IPs will not be sent to DataDome.
ex: ["", ""]




How can I configure the listener to support AJAX calls?

As documented here, DataDome requires the configuration of a listener in order to protect AJAX calls.

To do so, the Client-side Protection Options should be configured as follow:

  • Configuration of the listener for a single endpoint
{ "ajaxListenerPath" : "domain/api"}
  • Configuration of the listener for multiple endpoints
{ "ajaxListenerPath" : ["domain1/api", "domain2", "domain3"] }

My Cloudflare site is rate limited when I activate DataDome module


Burst rate

Accounts using the Workers free plan are subject to a burst rate limit of 1000 requests per minute.

DataDome module relies on Cloudflare Worker technology. When used on web sites with a lot of traffic, it may trigger an internal Cloudflare limit for Workers.
This can be inspected in Cloudflare firewall events.

If you are impacted by this limitation, please contact the Cloudflare support in order to lift this limit on your account. Once you are logged in your account, select the "Support" drop-down menu.

Then once you are logged in your Cloudflare support site, select "My Activities & Requests" to access the "Submit a Request" button.

The correct section to create a support ticket is found under "Get additional help":

Create a new support ticket with a clear summary (ex: "Rate Limiting on Cloudflare app")

Fill in the description with an explanation text such as the example below:


We enabled DataDome Cloudflare app on our domain.

To make sure that Cloudflare rate limiting feature will not affect the behavior of this app (blocking subrequests to its web servers); could you please disable the rate limiting feature for all requests toward the host

This is a known issue regarding workers embedded in apps, that has already been handled by Cloudflare support for other DataDome customers.


Finally, review your content and submit the ticket.

I do not want to use OAuth to login on DataDome

You can still use the API keys (supported for compatibility with older versions of the module).

  • Fill in the server-side and client-side keys in the appropriate fields
  • You can find the server-side and client-side keys in your dashboard

The JSTag is not automatically added to our pages

Our Cloudflare module relies on HTML parsing to add the JSTag at the right place. Bad syntax or missing tags can cause this operation to fail.