Cloudflare Security Insights
Cloudflare Security Insights is a security scanner operated by Cloudflare. It probes websites for vulnerabilities, exposed credentials, misconfigurations, or compliance issues.
Whether to allow it depends entirely on who is running it. If it is your own pen-test vendor or your bug-bounty researchers, allow it. If it is hostile reconnaissance, block it.
Look at the IP source and the request pattern. Hostile scanners tend to probe known-vulnerable URLs aggressively; legitimate scanners usually identify themselves and crawl gently.
See Cloudflare Security Insights on your own site
Match the User-Agent header on incoming requests against the pattern below.
regex
For higher confidence, also verify the source IP against the operator's published ranges. UA strings can be spoofed; IP ownership is harder to fake.
Renders JavaScript
No
IP verification
Published IP ranges
Crawl frequency
Variable / probing
Honors robots.txt
Yes
Honors Crawl-delay
Varies
Cloudflare runs 35 bots in total. Each one is a separate user-agent so you can allow or block them independently.
DevOps & Monitoring
10SEO Crawler
6CDN Infrastructure
5Training Crawler
4Security Scanner
3- Cloudflare-Validator
- Digicert DCV
- Cloudflare Security InsightsYou are here
AI Search Index
2Link Unfurler
2Generic Crawler
2Task Automation
1Should I let Cloudflare Security Insights through?
Watch your logs for a week first. Allow your own pen-testers and bug-bounty researchers. Block hostile reconnaissance. Source IP and pattern tell you which is which.
Does blocking Cloudflare Security Insights affect my Google rankings?
No. Cloudflare Security Insights is not a search-engine crawler. Your ranking on Google or Bing is unaffected by what you do here.
How do I confirm a request is really from Cloudflare Security Insights?
Look at the User-Agent header in your access logs and match it against the strings listed above. Worth knowing that the User-Agent is easy to fake, so this check tells you "the traffic claims to be Cloudflare Security Insights", not "the traffic is genuinely Cloudflare Security Insights". If you need stronger guarantees, look for a reverse-DNS check or wait for Cloudflare to publish IP ranges.
Is Cloudflare Security Insights hostile traffic?
Depends entirely on the source. Penetration testers and bug-bounty researchers you've authorised should be allowed. Reconnaissance from random IPs probing for vulnerabilities should be blocked. The User-Agent alone doesn't tell you which is which, the source IP and request pattern do.
How is Cloudflare Security Insights different from Cloudflare's other bots?
Cloudflare splits work across multiple user-agents so site owners can decide on each one independently. Training crawlers, live-fetch agents, search indexers, and agentic browsers each get their own name. Worth scanning the rest of the Cloudflare family above to see which ones actually matter for your site.
What's the cleanest way to control Cloudflare Security Insights?
Two layers. Robots.txt for the polite crawlers that read it, and rules at your CDN or edge for the ones that don't. Rankly's Agent Experience handles both from a single config, so you can allow, block, rate-limit, or serve a stripped-down version per bot. Agent Analytics handles the observation half so you know which bots are actually worth a rule.
Verify everything above against the operator's own documentation.