Update automatic-request-headers.mdx (#26918)

* Update automatic-request-headers.mdx

add bot detection id

* Update faq.mdx

add steps on how to add bot id to WAF skip rule

* Update src/content/docs/browser-rendering/faq.mdx

Co-authored-by: ToriLindsay <[email protected]>

* Update src/content/docs/browser-rendering/faq.mdx

Co-authored-by: ToriLindsay <[email protected]>

* Update src/content/docs/browser-rendering/faq.mdx

Co-authored-by: ToriLindsay <[email protected]>

* Update src/content/docs/browser-rendering/faq.mdx

Co-authored-by: ToriLindsay <[email protected]>

* Update src/content/docs/browser-rendering/faq.mdx

Co-authored-by: ToriLindsay <[email protected]>

* Update automatic-request-headers.mdx

add link to how to allowlist BR

---------

Co-authored-by: ToriLindsay <[email protected]>

Author: kathayl

src/content/docs/browser-rendering/faq.mdx

@@ -8,7 +8,7 @@ head:
     content: Frequently asked questions about Cloudflare Browser Rendering
 ---
 
-import { GlossaryTooltip, Render } from "~/components";
+import { GlossaryTooltip, Render, DashButton, Steps } from "~/components";
 
 Below you will find answers to our most commonly asked questions about Browser Rendering.
 
@@ -27,11 +27,27 @@ Not yet. Local development currently has the following limitation(s):
 
 <Render file="remote-binding-note" product="workers" />
 
-### Will Browser Rendering bypass Cloudflare's Bot Protection?
+### Will Browser Rendering be detected by Bot Management?
 
-No, Browser Rendering requests are always identified as bots by Cloudflare and do not bypass Bot Protection.
+Yes, Browser Rendering requests are always identified as bot traffic by Cloudflare. Cloudflare does not enforce bot protection by default — that is the customer's choice.
 
-If you are attempting to scan your **own zone** and need Browser Rendering to access areas protected by Cloudflare’s Bot Protection, you can create a [WAF skip rule](/waf/custom-rules/skip/) to bypass the bot protection using a header or a custom user agent.
+If you are attempting to scan your own zone and want Browser Rendering to access your website freely without your bot protection configuration interfering, you can create a WAF skip rule to [allowlist Browser Rendering](/browser-rendering/faq/#how-do-i-allowlist-browser-rendering).
+
+### How do I allowlist Browser Rendering?
+
+<Steps>
+1. In the Cloudflare dashboard, go to the **Security rules** page of your account and domain.
+
+     <DashButton url="/?to=/:account/:zone/security/security-rules" />
+
+2. To create a new empty rule, select **Create rule** > **Custom rules**.
+3. Enter a descriptive name for the rule in **Rule name**, such as `Allow Browser Rendering`.
+4. Under **When incoming requests match**, use the **Field** dropdown to choose _Bot Detection ID_. For **Operator**, select _equals_. For **Value**, enter `128292352`.
+5. Under **Then take action**, in the **Choose action** dropdown, select  **Skip**.
+6. Under **Place at**, select the order of the rule in the **Select order** dropdown to be **First**. Setting the order as **First** allows this rule to be applied before subsequent rules.
+7. To save and deploy your rule, select **Deploy**.
+
+</Steps>
 
 ### Does Browser Rendering rotate IP addresses for outbound requests?
 

src/content/docs/browser-rendering/reference/automatic-request-headers.mdx

@@ -21,4 +21,10 @@ These headers are meant to ensure transparency and cannot be removed or overridd
 | `Signature-agent`    | [The location of the bot public keys](https://web-bot-auth.cloudflare-browser-rendering-085.workers.dev), used to sign the request and verify it came from Cloudflare                                       |
 | `Signature` and `Signature-input`| A digital signature, used to validate requests, as shown in [this architecture document](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture)                     |
 
+### About Web Bot Auth
+
 The `Signature` headers use an authentication method called [Web Bot Auth](/bots/reference/bot-verification/web-bot-auth/). Web Bot Auth leverages cryptographic signatures in HTTP messages to verify that a request comes from an automated bot. To verify a request originated from Cloudflare Browser Rendering, use the keys found on [this directory](https://web-bot-auth.cloudflare-browser-rendering-085.workers.dev/.well-known/http-message-signatures-directory) to verify the `Signature` and `Signature-Input` found in the headers from the incoming request. A successful verification proves that the request originated from Cloudflare Browser Rendering and has not been tampered with in transit.
+
+### Bot detection
+
+The bot detection ID for Browser Rendering is `128292352`. If you are attempting to scan your own zone and want Browser Rendering to access your website freely without your bot protection configuration interfering, you can create a WAF skip rule to [allowlist Browser Rendering](/browser-rendering/faq/#how-do-i-allowlist-browser-rendering).