Cloudflare CAPTCHA on at least one ampersand

Simon Willison configured Cloudflare's managed challenge to only trigger on search URLs containing an ampersand, preventing CAPTCHA prompts for simple queries. He used Claude Code to interact with the Cloudflare API after the Cloudflare MCP failed to edit the rules.

TIL: Cloudflare CAPTCHA on at least one ampersand https://til.simonwillison.net/cloudflare/captcha-on-at-least-one-ampersand I'm using Cloudflare's CAPTCHA they call it a "Web Application Firewall Custom rules Managed Challenge" these days to prevent crawlers from aggresively spidering my faceted search engine https://simonwillison.net/2017/Oct/5/django-postgresql-faceted-search/ on this site, but I got fed up of even simple ?q=term searches triggering the challenge. After some mucking around with Claude Code it turns out you can register the following rule instead, so the CAPTCHA only kicks in for search URLs containing at least one ampersand: http.request.uri.path wildcard r"/search/ " and http.request.uri.query contains "&" And now /search/?q=lemur https://simonwillison.net/search/?q=lemur works without triggering a CAPTCHA Also included: notes on trying out the Cloudflare MCP with Claude Code https://til.simonwillison.net/cloudflare/captcha-on-at-least-one-ampersand trying-the-cloudflare-mcp , though it turned out not to be able to edit the rules in question so I had Claude Code switch to the Cloudflare API https://til.simonwillison.net/cloudflare/captcha-on-at-least-one-ampersand using-the-api-instead instead. Tags: captchas https://simonwillison.net/tags/captchas , cloudflare https://simonwillison.net/tags/cloudflare , model-context-protocol https://simonwillison.net/tags/model-context-protocol , claude-code https://simonwillison.net/tags/claude-code