Skip to content
FormReceipt

Troubleshooting

Allowlisting FormReceipt automation

How to allowlist FormReceipt bot identity headers, user agent, and worker IPs in WAF or anti-bot tools.

Published: 2026-05-29Last reviewed: 2026-05-29

Allowlist FormReceipt safely

If your site uses Cloudflare, Wordfence, Sucuri, or another WAF, automated test runs can be challenged before submit. The safest fix is targeted allowlisting for known FormReceipt markers.

1) Allowlist identity headers and user agent

FormReceipt sends stable bot identity metadata in request headers and user agent values during test runs.

  • Allowlist requests where FormReceipt identity headers are present.
  • Add a user-agent allowlist rule for your form route only (not all routes).
  • Keep rate limits and abuse protections active for non-FormReceipt traffic.

Recommended match strategy:

  • Route scope: your contact/test form path.
  • Match on explicit FormReceipt bot markers (headers + user agent).
  • Require HTTPS and standard host/path validation in your WAF rule.

2) Allowlist worker IP ranges when required

Some hosting providers or WAF setups require source IP allowlisting in addition to headers.

  • If your policy requires IP allowlists, ask support for the current worker egress ranges.
  • Apply CIDR allowlisting only for the form endpoint path.
  • Review and refresh allowlisted ranges during routine security reviews.

3) Keep security controls tight

  • Do not bypass your entire challenge/WAF stack.
  • Avoid global allowlist rules at the domain root.
  • Track allowlist changes in your internal security/audit notes.

For policy details and what FormReceipt sends during automation, see /bot.

FAQ

What should we allowlist first?
Start with FormReceipt identity headers and user agent markers, then add worker egress IP ranges if your firewall supports CIDR allowlists.
Can we disable bot protection entirely?
No. Keep your anti-bot controls enabled and add targeted allowlist rules only for your form route and verified FormReceipt markers.

More in this category

DNS propagation and TTL

Why DNS changes lag, how TTL affects rollout, and how to verify TXT records globally.

Mail arrives in spam despite passing authentication

Why authenticated mail can still land in spam and what to check next.

Multiple SPF TXT records

Why multiple SPF TXT strings break validation and how to merge includes into a single record.

Publishing DNS records in Cloudflare

TXT and CNAME entries for SPF, DKIM, and DMARC when Cloudflare proxies email-related names correctly.

← TroubleshootingKnowledge base home← Back to home

Cookie choices

We use a required session cookie for login and optional analytics cookies for marketing pages. Read cookie policy