Skip to main content
Back to Home

Let UNPWNED Scan Your Cloudflare Site

See a yellow "Partial Scan" result on your report? If Cloudflare was detected at the perimeter, it may have challenged some scanner requests. Authentication, rate limiting, upstream availability, and network errors can create the same gaps, so the report keeps completed evidence separate from unanswered checks. Allowlisting gives an owner-authorized re-scan the best chance of complete coverage.

The short version

Fastest: click Connect Cloudflare in UNPWNED and approve once. That verifies your domain and enables the Pro allowlist quick action on a blocked report. Return to the report and click Allowlist scanner IPs before re-running the scan. Rather do it by hand? Step 1 verifies you own the site (one copy-paste DNS record); if Cloudflare still blocks, Step 2 adds a rule that lets our published scanner IPs through - the same method on every Cloudflare plan, including the free one.

Easiest: connect Cloudflare in one click

The simplest way to let us in is to connect Cloudflare directly. In UNPWNED, open Settings and click Connect Cloudflare(you can also click it straight from a blocked report). You approve the connection on Cloudflare's own screen. Then return to the blocked report, review the allowlist quick action, and apply it without building a firewall rule by hand.

One connection enables all three

  • Verifies your domain for you, so there is no TXT record to copy.
  • Enables the Pro Allowlist scanner IPs quick action on a blocked report. UNPWNED creates the rule only after you click that action.
  • Can auto-fix common email DNS issues (SPF and DMARC) when you ask it to.

We request the permissions shown on Cloudflare's consent screen, and you can revoke access from your Cloudflare profile. Connecting does not silently create a firewall rule. The allowlist quick action shows the exact operation after the connection is ready; you can also follow the manual steps below.

Connect Cloudflare →

Prefer to do it manually?

You never have to connect anything. The two steps below reach the same result by hand, and they stay in effect permanently.

01

Verify your domain (do this first)

When you prove the site is yours, we mark the scan as owner-approved and stop using a robotic "scanner" identity that bot filters may block. Many Cloudflare sites return more complete evidence after this step. It takes about two minutes and only needs you to copy one DNS record.

A.

Open UNPWNED, go to Domains, and add your domain. We give you a unique TXT record that looks like this:

unpwned-verify-xxxxxxxxxxxxxxxx
B.

In your Cloudflare dashboard, open DNS → Records, click Add record, choose type TXT, paste the value, and save.

C.

Back in UNPWNED, click Verify. That is it. Re-run your scan and check whether coverage improved.

Verify my domain →
02

Still blocked? Allow our scanner (any Cloudflare plan)

Only do this when the owner-authorized re-scan still reports blocked checks. The path is the same on every Cloudflare plan, including the free one: add a rule that lets our published scanner IPs through. It is the same thing scanners like Detectify and Intruder ask for.

Monitoring is different

A temporary Bot Fight Mode pause affects general bot protection and only helps one scan. Prefer the narrow IP Access Rule below for both one-time scans and scheduled monitoring. UNPWNED preserves your last reliable score when a monitor later returns partial coverage.

Fastest path: let UNPWNED add the rule

If you already connected Cloudflare in UNPWNED, open the blocked report and click Allowlist scanner IPs. We will add the exact IP Access Rules for the published scanner IPs below. Cloudflare applies these rules at account scope, so the action may cover other zones in the same connected Cloudflare account, but it only allows requests from UNPWNED's published scanner IPs. If your existing token was DNS-only, reconnect Cloudflare with Firewall Access Rules permission first.

Already verified your domain?

Once a domain is verified, we scan it as a real browser carrying a signed UNPWNED identity, but every scan still leaves from our published scanner IPs. So the IP Access Rule below covers verified scans too, and it works on any Cloudflare plan, free included. Re-run afterward to see whether any unrelated gaps remain.

Allow our scanner IPs (recommended, any plan)

We scan from a small, stable set of IP addresses that we own and publish. A Cloudflare IP Access Rule with the Allow action lets those IPs through - and because an IP Access Rule is checked before Bot Fight Mode, it works on the free plan too, not only paid plans. An IP address cannot be spoofed the way a User-Agent string can, so this is the method the major scanners (Detectify, Intruder, Qualys) use. You set it up once.

Our scanner IPs

3.224.164.255
3.219.38.3
  1. 1.Open your Cloudflare dashboard and pick your domain.
  2. 2.Find IP Access Rules. On newer dashboards it lives under Security → Settings (use the search box, type IP access rules); on older ones it is Security → WAF → Tools.
  3. 3.Start a new IP access rule. The action must be "Allow". If your dashboard instead opens a custom rule whose only option is Skip (no Allow), that will not get past Bot Fight Mode on the free plan - use the Bot Fight Mode toggle below instead.
  4. 4.Enter the first IP above, set Action to Allow, apply it to this website, add a note like UNPWNED scanner, and click Create.
  5. 5.Repeat for every scanner IP listed above, then re-run your scan in UNPWNED.

An Allow rule only matches requests from our published scanner IPs - every other visitor and bot stays protected exactly as before. When UNPWNED creates the rule for you, Cloudflare may store it as an account-level IP Access Rule, so it can apply to other zones in that connected Cloudflare account. It still only allows UNPWNED's published scanner IPs, and it does not disable Bot Fight Mode, WAF rules, or any other general protection. The same IPs are published machine-readably at /scanning-ips.json. If an IP rule cannot be created, the temporary Bot Fight Mode path below is a last resort, not the recommended setup.

Last resort: temporarily pause Bot Fight Mode

Use this only when you cannot create the narrow IP Access Rule above. Pausing Bot Fight Mode reduces bot protection for all traffic during the scan. Keep the window short, restore it immediately afterward, and do not use this path for monitoring.

  1. 1.Open your Cloudflare dashboard and pick your site.
  2. 2.Go to Security → Bots.
  3. 3.Toggle Bot Fight Mode to Off.
  4. 4.Come back to UNPWNED and re-run your scan. Wait for it to finish.
  5. 5.Toggle Bot Fight Mode back to On. Your protection is restored.

Why this is a last resort: Cloudflare does not allow a custom Skip rule to bypass Free-plan Bot Fight Mode. A matching IP Access Allow rule is narrower and is evaluated first, so use that path whenever it is available.

That's it

Re-run your scan. If every required check returns authoritative evidence, UNPWNED will publish an official score and grade. If coverage is still partial, keep your protection enabled and send the report link to [email protected] and we will help.

Run my scan again →

Need the complete verification, Deep Scan, allowlist, and re-scan flow? Open the scan completion guide. For technical scanner identity and rules for other firewalls, see our Scanning Policy.