These checks run in a Cloudflare Worker at the edge - the same place the WAF, Bot Management and Rate Limiting operate, before traffic ever reaches an origin.
1 · WAF signature blocking
Submit a payload and watch the edge classify it. Try the presets - real attack signatures get blocked.
1' OR 1=1 --<script>alert(1)</script>../../etc/passwdblue running shoes
-
2 · Bot Management score
Cloudflare scores every request 1 (definitely bot) to 99 (definitely human). Here is yours, live.
-
3 · Rate limiting
This endpoint allows 5 requests / 10s per IP. Click rapidly and watch request #6 get a 429.