Cloudflare CAPTCHA on at least one ampersand

Cloudflare has introduced a granular method for configuring its managed challenge rules, allowing site owners to apply CAPTCHA protections based on specific…

By Vane June 16, 2026 1 min read

Cloudflare has introduced a granular method for configuring its managed challenge rules, allowing site owners to apply CAPTCHA protections based on specific query string parameters rather than entire paths. Simon Willison discovered that standard configurations often trigger verification prompts for simple searches like ?q=term, which frustrates legitimate users. He successfully refined the rule to target only URLs containing an ampersand, ensuring that basic queries proceed without interruption while aggressive spidering remains blocked. The implementation involved adjusting the logic to check if the request URI query contains the specific character, a change made possible through direct API interaction rather than the model context protocol interface.

This level of precision highlights the growing need for fine-tuned access control as automated tools become more sophisticated. Broad application of security challenges degrades user experience and wastes time for developers who frequently test their applications. By restricting challenges to complex queries, organisations can maintain security against bots without impeding human traffic. This approach also underscores the limitations of current AI coding assistants when managing complex infrastructure configurations, as direct API usage remains necessary for specific rule adjustments.

* Cloudflare managed challenges can now be scoped to specific query parameters like ampersands.
* Simple search queries no longer trigger CAPTCHAs when rules are configured precisely.
* AI coding tools may require manual API intervention for complex infrastructure edits.

Scroll to Top