16th June 2026
[](https://til.simonwillison.net/cloudflare/captcha-on-at-least-one-ampersand)
[TIL](https://simonwillison.net/elsewhere/til/) [Cloudflare CAPTCHA on at least one ampersand](https://til.simonwillison.net/cloudflare/captcha-on-at-least-one-ampersand) --- I use Cloudflare's CAPTCHA (they call it a "Managed Challenge") on \[simonwillison.net/search/\](https://simonwillison.net/search/) to prevent crawlers from following every single possible combination of my \[faceted search\](https://simonwillison.net/2017/Oct/5/django-postgresql-faceted-search/) UI.
I'm using Cloudflare's CAPTCHA (they call it a "Web Application Firewall \> Custom rules \> Managed Challenge" these days) to prevent crawlers from aggresively spidering my [faceted search engine](https://simonwillison.net/2017/Oct/5/django-postgresql-faceted-search/) on this site, but I got fed up of even simple `?q=term` searches triggering the challenge.
After some mucking around with Claude Code it turns out you can register the following rule instead, so the CAPTCHA only kicks in for search URLs containing at least one ampersand:
`(http.request.uri.path wildcard r"/search/*" and http.request.uri.query contains "&")`
And now [/search/?q=lemur](https://simonwillison.net/search/?q=lemur) works without triggering a CAPTCHA!