Yes this rule works, but you may find that the list of countries needs to be expanded significantly. They will use Vietnam, Turkey, Iraq, Colombia, Bangladesh, Afghanistan, whatever they need to. That's why it is often more effective to have another rule with an allow list for countries where you know your users are based and then challenge everywhere else. If you have an international audience, however, that's not really suitable and it becomes more complicated.I have created this in Cloudflare Custom Rules as below....
Field is Country Operator "is in" Value = (ip.geoip.country in {"SG" "RU" "HK" "CN" "DE" "BR"})
I done this to not block the entire country but to use the JS Challenge for these specific countries.
Would this work ? any thoughts much appreciated.
I agree that blocking does not necessarily work better than a challenge. It seems (without testing this thoroughly) that blocking often triggers that bot scripts to fake IP addresses from other countries until they get through, whereas a challenge keeps the bot occupied. I had more success with challenges than outright blocking.
Cloudflare also suggests using a managed challenge rather than JS Challenge, because it is a more dynamic method. If the user is detected as human, it will not intervene. Managed challenge can also throw other challenges at bots (like interactive challenges) if required.
But JS Challenge will work and won't matter if you don't care about users visiting from those countries.
Statistics: Posted by KYPREO — Mon Jul 28, 2025 2:40 am