Why you need to do this
To generate heatmaps and session recordings, we fetch your site through our proxy servers — the same way your visitors' browsers do. Cloudflare's Bot Fight Mode is designed to block automated requests, which means it can block ours too.
When that happens, renders come back incomplete or blank, and your analytics data becomes unreliable.
⚠️ Common mistake: Creating a WAF Custom Rule to "Skip" our traffic does not work. Bot Fight Mode runs before WAF rules are evaluated, so the Skip action never reaches our requests.
The only approach that works: Use an IP Access Rule (Allow) — this is evaluated first in Cloudflare's pipeline and exempts our IP before Bot Fight Mode can block it.
How to set it up (2 steps)
Step 1 — Go to IP Access Rules
In your Cloudflare dashboard, navigate to: Security › WAF › Tools › IP Access Rules
Make sure you're in the correct zone (your website's domain).
Step 2 — Create the Allow rule
Click Create rule and fill in the fields exactly as shown:
IP Address:
166.117.54.25/35.71.148.26/16.147.25.198/44.225.101.246Action: Allow
Notes: Heatmap Analytics Proxy
Zone: This website
✅ The rule takes effect within 60 seconds. No page reload or cache purge needed.
How to verify it worked
Go to Security → Events in your Cloudflare dashboard. Filter by your domain and check recent entries. Requests from our proxy IP should show the action Allow, not Block or Challenge.
If you still see Bot Fight Mode listed as the blocking service, the rule wasn't saved correctly or the IP was entered wrong.
Frequently asked questions
I created a WAF Custom Rule to allow your hostname — why isn't it working? WAF Custom Rules run after Bot Fight Mode in Cloudflare's pipeline. By the time your rule is evaluated, our request is already blocked. The IP Access Rule runs first — that's why it's the only method that works.
Can I use a Page Rule to disable security for your traffic? No. Page Rules with "Disable Security" cannot bypass Bot Fight Mode or Super Bot Fight Mode — this is confirmed by Cloudflare's own documentation.
Does this work on the free Cloudflare plan? Yes. IP Access Rules are available on all plans including Free. Free and Pro plans support up to 10,000 rules, so adding one is no problem.
Will allowing your IP affect my site's security? Only traffic from our specific proxy IP is affected — no other visitors or bots are exempted. If you ever need to revoke access, simply delete the rule and our proxy will be subject to standard security checks again.
What if your proxy IP changes? Our proxy uses static, dedicated IPs that don't change during normal operations. If we ever need to update them, we'll notify you by email at least 7 days in advance.
How do I know if Bot Fight Mode is what's blocking you? Go to Security → Events, filter by our proxy IP, and look for entries with "Bot Fight Mode" listed as the service. That confirms it's the culprit.
Can you get Cloudflare to whitelist Heatmap Analytics globally? We're pursuing Cloudflare's verified bots program, which would whitelist our service network-wide. It requires a lengthy approval process. The IP Access Rule is the reliable, immediate solution in the meantime.
I have multiple Cloudflare zones — do I need to add the rule to each one? Not necessarily. When creating the rule, you can scope it to "All websites in account" to cover all your Cloudflare zones at once. We recommend this if Heatmap Analytics is tracking multiple domains under the same account.
Need help? Contact us at support@heatmap.com and we'll walk you through it.