Cookiebot

Security ScannerPurpose·Security probeSafety·AggressiveSEO impact·NoneBlocked by·Not yet measuredSnapshot·2026-04

01 /Overview

Cookiebot is a security scanner operated by Cookiebot. It probes websites for vulnerabilities, exposed credentials, misconfigurations, or compliance issues.

Whether to allow it depends entirely on who is running it. If it is your own pen-test vendor or your bug-bounty researchers, allow it. If it is hostile reconnaissance, block it.

Look at the IP source and the request pattern. Hostile scanners tend to probe known-vulnerable URLs aggressively; legitimate scanners usually identify themselves and crawl gently.

See Cookiebot on your own site

02 /Identification

Match the User-Agent header on incoming requests against the pattern below.

regex

Cookiebot

For higher confidence, also verify the source IP against the operator's published ranges. UA strings can be spoofed; IP ownership is harder to fake.

03 /Control

The polite way is a robots.txt rule. Compliant agents respect it; the others ignore it.

robots.txt

User-agent: Cookiebot Disallow: /

Test a URL

Paste any URL on your site and we'll fetch its robots.txt to check whether Cookiebot is allowed.

04 /Technical fingerprint

Renders JavaScript

IP verification

User-Agent only

Crawl frequency

Variable / probing

Honors robots.txt

Yes

Honors Crawl-delay

Varies

05 /Expected behavior

Expect probing patterns, requests aimed at known-vulnerable URLs, parameter fuzzing, or admin paths. Volume varies wildly depending on the operator.

Common questions

Should I let Cookiebot through?

Watch your logs for a week first. Allow your own pen-testers and bug-bounty researchers. Block hostile reconnaissance. Source IP and pattern tell you which is which.

Does blocking Cookiebot affect my Google rankings?

No. Cookiebot is not a search-engine crawler. Your ranking on Google or Bing is unaffected by what you do here.

How do I confirm a request is really from Cookiebot?

Look at the User-Agent header in your access logs and match it against the strings listed above. Worth knowing that the User-Agent is easy to fake, so this check tells you "the traffic claims to be Cookiebot", not "the traffic is genuinely Cookiebot". If you need stronger guarantees, look for a reverse-DNS check or wait for Cookiebot to publish IP ranges.

Is Cookiebot hostile traffic?

Depends entirely on the source. Penetration testers and bug-bounty researchers you've authorised should be allowed. Reconnaissance from random IPs probing for vulnerabilities should be blocked. The User-Agent alone doesn't tell you which is which, the source IP and request pattern do.

What's the cleanest way to control Cookiebot?

Two layers. Robots.txt for the polite crawlers that read it, and rules at your CDN or edge for the ones that don't. Rankly's Agent Experience handles both from a single config, so you can allow, block, rate-limit, or serve a stripped-down version per bot. Agent Analytics handles the observation half so you know which bots are actually worth a rule.

Agent Directory

Cookiebot

Security ScannerPurpose·Security probeSafety·AggressiveSEO impact·NoneBlocked by·Not yet measuredSnapshot·2026-04

01 /Overview

Cookiebot is a security scanner operated by Cookiebot. It probes websites for vulnerabilities, exposed credentials, misconfigurations, or compliance issues.

Whether to allow it depends entirely on who is running it. If it is your own pen-test vendor or your bug-bounty researchers, allow it. If it is hostile reconnaissance, block it.

Look at the IP source and the request pattern. Hostile scanners tend to probe known-vulnerable URLs aggressively; legitimate scanners usually identify themselves and crawl gently.

See Cookiebot on your own site

02 /Identification

Match the User-Agent header on incoming requests against the pattern below.

regex

Cookiebot

For higher confidence, also verify the source IP against the operator's published ranges. UA strings can be spoofed; IP ownership is harder to fake.

03 /Control

The polite way is a robots.txt rule. Compliant agents respect it; the others ignore it.

robots.txt

User-agent: Cookiebot Disallow: /

Test a URL

Paste any URL on your site and we'll fetch its robots.txt to check whether Cookiebot is allowed.

04 /Technical fingerprint

Renders JavaScript

IP verification

User-Agent only

Crawl frequency

Variable / probing

Honors robots.txt

Yes

Honors Crawl-delay

Varies

05 /Expected behavior

Expect probing patterns, requests aimed at known-vulnerable URLs, parameter fuzzing, or admin paths. Volume varies wildly depending on the operator.

Common questions

Should I let Cookiebot through?

Watch your logs for a week first. Allow your own pen-testers and bug-bounty researchers. Block hostile reconnaissance. Source IP and pattern tell you which is which.

Does blocking Cookiebot affect my Google rankings?

No. Cookiebot is not a search-engine crawler. Your ranking on Google or Bing is unaffected by what you do here.