Cloudflare CAPTCHA on at least one ampersand
Simon Willison uses Cloudflare's Managed Challenge to protect his faceted search from aggressive crawlers, but even simple ?q=term searches triggered the challenge. Using Claude Code, he discovered a rule that only triggers CAPTCHA for search URLs containing at least one ampersand, allowing simple searches to pass through without challenge.
TIL: Cloudflare CAPTCHA on at least one ampersand
Simon Willison’s Weblog
Subscribe
16th June 2026
TIL
Cloudflare CAPTCHA on at least one ampersand — I use Cloudflare's CAPTCHA (they call it a "Managed Challenge") on [simonwillison.net/search/](https://simonwillison.net/search/) to prevent crawlers from following every single possible combination of my [faceted search](https://simonwillison.net/2017/Oct/5/django-postgresql-faceted-search/) UI.
I'm using Cloudflare's CAPTCHA (they call it a "Web Application Firewall > Custom rules > Managed Challenge" these days) to prevent crawlers from aggresively spidering my faceted search engine on this site, but I got fed up of even simple ?q=term searches triggering the challenge.
After some mucking around with Claude Code it turns out you can register the following rule instead, so the CAPTCHA only kicks in for search URLs containing at least one ampersand:
(http.request.uri.path wildcard r"/search/*" and http.request.uri.query contains "&")
And now /search/?q=lemur works without triggering a CAPTCHA!
Recent articles
Publishing WASM wheels to PyPI for use with Pyodide - 13th June 2026
Claude Fable is relentlessly proactive - 11th June 2026
Initial impressions of Claude Fable 5 - 9th June 2026
This is a beat by Simon Willison, posted on 16th June 2026.
captchas 9
cloudflare 31
Monthly briefing
Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments.
Pay me to send you less!
Sponsor & subscribe
Disclosures
Colophon
©
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026