Internet and Networking

What Is Browser Integrity Check (BIC) From Cloudflare?

Part of the “Security” umbrella and available to free Cloudflare users also, the Browser Integrity Check (BIC) functionality is another tool in the kit to protect your site from spammers, malicious bots, or crawlers.

If one is detected, access to your site is denied, or a challenge is presented before proceeding further. You can think of it as a threat intelligence system that automatically works behind the scenes — if enabled.

A Concise and Crisp Explanation of How Cloudflare’s BIC Works

The summary of things here is that this feature will scan the HTTP headers and hunt for the common ones abused by spammers. An example cited on Cloudflare’s own site is that of a missing user agent or a non-standard one.

HTTP Headers are extra data points about a webpage or its resources and or everything about it. In layperson terms, this is akin to metadata for images, such as its size, dimensions, date of the photo, possibly the camera used, if it’s stored in PNG, etc.

Except, for the purposes of internet site visits and the context of this post, this would be about the webpage itself and possibly everything about it, such as its CSS files, scripts, etc. The information available in the header is not visible on the page you are visiting or even in the page source. It’s a whole separate thing.

To continue a bit more off tangent, you can view some of the page’s headers for visual reference of things by opening up the developer tools and heading over to the network tab (See an example screenshot below).

an example of HTTP Headers
An example of HTTP Headers.

The Meaning of It All

In non-technical jargon, all of this essentially means is that the Browser Integrity Check is a nifty, elegant yet simple tool that any Cloudflare user can turn on for their site — to safeguard against ill-intended users, spammer, bots, and actors. In fact, BIC is set to on by default.

How To Check if Browser Integrity Check Blocked or Challenged Someone. In Other Words, How To Know if BIC Is Working?

This is one of those scenarios where you hope it’s not constantly being utilized; however, it would still be good to know it did its job. As things are, there is one area you can quickly navigate to — to see if BIC was in play.

In general, to see which Cloudflare Service/feature/functionality had a hand in “Securing” your site, you can go to Security > Overview. (Be sure to first click on the website you want to check this for — from your dashboard).

Navigating to the Security > Overview section in Cloudflare
Navigating to the Security > Overview section in Cloudflare.

Once you land there, you are presented with a “Firewall Events” and “Activity Logs” section. The second option is where you need to check if BIC prevented access to your site. (Again, this will only be true if BIC is enabled and if it actually played a role).

If not mistaken, for free users, it looks like the maximum time window for the Activity Log is 24 hours. There might be a way to extend that timeframe on a pro or higher plans or by tinkering with something on the free plan, but by default, 24 hours is what you’ll see.

In any event, the log will display all security incidents — in a manner of speaking — in a given timeline and also shows what action was taken, which service was responsible for the said action, and more. (Take a look at the screenshot below for a more pronounced idea of what the log looks like).

an example of the Cloudflare Activity Log inside Security - Overview
How the Cloudflare “Security > Overview” Activity Log looks like.

If Browser Integrity Check were activated for any incident, it would appear under the “Service” column of the Activity Log.

You May Also Want to Check Out:

Turning Browser Integrity Check On or Off

As it is with many offerings inside Cloudflare, Browser Integrity Check categorizes as one that can be turned on or off. To make your adjustment, head over to Security > Settings. Then, scroll down to the Browser Integrity Check card, and use the toggle to push your tweak.

Moreover, this can even be configured via page rules. In other words, you may be able to have this feature be enabled overall but disabled for certain areas of your domain.

Turning browser integrity check on or off in Cloudflare
Turning Browser Integrity Check on or off in Cloudflare.