OpenGraph+
Get Started

Slackbot Blocked by Cloudflare

Why Cloudflare's Bot Fight Mode blocks Slack link previews

What’s happening

Cloudflare’s Bot Fight Mode and Super Bot Fight Mode block Slackbot despite it being Verified Bot #34 in Cloudflare’s directory. Links show as plain text with no unfurl.

Why

Bot Fight Mode classifies traffic using IP reputation, TLS fingerprints, and request patterns. Slackbot trips these heuristics because it runs on AWS with rotating IPs (mixed reputation), makes single-fetch requests with a Range header, and doesn’t execute JavaScript. Depending on configuration, Bot Fight Mode may not exempt all verified bots.

IP allowlisting won’t work

Slack doesn’t publish a static IP list. The IPs rotate on AWS. Any allowlist you build today is stale tomorrow.

Fix: WAF user-agent rule

Create a Cloudflare WAF custom rule to let Slackbot through:

  1. Go to Security > WAF > Custom rules
  2. Create a rule:
    • Field: User Agent
    • Operator: contains
    • Value: Slackbot
    • Action: Skip (bypass Bot Fight Mode)

This catches both Slackbot-LinkExpanding and Slack-ImgProxy.

Alternative: verified bot exemption

On Super Bot Fight Mode (Pro plans+):

  1. Go to Security > Bots
  2. Set Verified bots to Allow

This should exempt Slackbot, though behavior can vary by configuration.

Testing

After adding the rule:

curl -A "Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)" \
     -I https://yoursite.com/page

You should get 200 OK. If you still see 403 or a Cloudflare challenge page, check WAF rule ordering, since rules evaluate top-to-bottom and an earlier rule may be blocking first.

Other WAFs

This isn’t Cloudflare-specific. AWS WAF, Sucuri, and Akamai can all block Slackbot. The fix is the same everywhere: create an allow rule matching the Slackbot user agent string.