{"slug": "cloudflare-captcha-on-at-least-one-ampersand", "title": "Cloudflare CAPTCHA on at least one ampersand", "summary": "Simon Willison configured Cloudflare's managed challenge to only trigger on search URLs containing an ampersand, preventing CAPTCHA prompts for simple queries. He used Claude Code to interact with the Cloudflare API after the Cloudflare MCP failed to edit the rules.", "body_md": "**TIL:** [Cloudflare CAPTCHA on at least one ampersand](https://til.simonwillison.net/cloudflare/captcha-on-at-least-one-ampersand)\n\nI'm using Cloudflare's CAPTCHA (they call it a \"Web Application Firewall > Custom rules > Managed Challenge\" these days) to prevent crawlers from aggresively spidering my [faceted search engine](https://simonwillison.net/2017/Oct/5/django-postgresql-faceted-search/) on this site, but I got fed up of even simple `?q=term`\n\nsearches triggering the challenge.\n\nAfter some mucking around with Claude Code it turns out you can register the following rule instead, so the CAPTCHA only kicks in for search URLs containing at least one ampersand:\n\n`(http.request.uri.path wildcard r\"/search/*\" and http.request.uri.query contains \"&\")`\n\nAnd now [/search/?q=lemur](https://simonwillison.net/search/?q=lemur) works without triggering a CAPTCHA!\n\nAlso included: notes on [trying out the Cloudflare MCP with Claude Code](https://til.simonwillison.net/cloudflare/captcha-on-at-least-one-ampersand#trying-the-cloudflare-mcp), though it turned out not to be able to edit the rules in question so I had Claude Code [switch to the Cloudflare API](https://til.simonwillison.net/cloudflare/captcha-on-at-least-one-ampersand#using-the-api-instead) instead.\n\nTags: [captchas](https://simonwillison.net/tags/captchas), [cloudflare](https://simonwillison.net/tags/cloudflare), [model-context-protocol](https://simonwillison.net/tags/model-context-protocol), [claude-code](https://simonwillison.net/tags/claude-code)", "url": "https://wpnews.pro/news/cloudflare-captcha-on-at-least-one-ampersand", "canonical_source": "https://simonwillison.net/2026/Jun/16/captcha-on-at-least-one-ampersand/#atom-everything", "published_at": "2026-06-16 00:21:36+00:00", "updated_at": "2026-06-16 00:47:51.238648+00:00", "lang": "en", "topics": ["ai-tools", "developer-tools"], "entities": ["Cloudflare", "Claude Code", "Cloudflare API", "Cloudflare MCP", "Simon Willison"], "alternates": {"html": "https://wpnews.pro/news/cloudflare-captcha-on-at-least-one-ampersand", "markdown": "https://wpnews.pro/news/cloudflare-captcha-on-at-least-one-ampersand.md", "text": "https://wpnews.pro/news/cloudflare-captcha-on-at-least-one-ampersand.txt", "jsonld": "https://wpnews.pro/news/cloudflare-captcha-on-at-least-one-ampersand.jsonld"}}