[Use Cases] Solution guide: Stop malicious bots while allowing legitimate traffic (#29531)

* [Use Cases] Add solution guide: Stop malicious bots while allowing legitimate traffic

* [Use Cases] Update discovery pages to cross-reference stop malicious bots guide

* [Use Cases] Revert Solutions heading to match existing convention

* [Use Cases] Address PR feedback: dashboard nav tabs, terminology, expression builder

* [Use Cases] Nest solution guide under bots discovery page

* [Use Cases] Extract partials for BFM, custom rules, and Security Events nav

Created 3 partials to share procedures between product docs and solution guide:
- partials/bots/enable-bfm.mdx (Bot Fight Mode enable steps)
- partials/waf/create-custom-rule-nav.mdx (custom rule dashboard nav)
- partials/waf/security-events-nav.mdx (Security Events dashboard nav)

Updated source pages and solution guide to use Render.

* [Use Cases] Parameterize create-rule-nav partial for reuse across rule types

* [Use Cases] Remove create-rule-nav partial — below 3-step threshold, no second consumer

* [Use Cases] Remove security-events-nav partial — below 3-step threshold

* [Use Cases] Fix Turnstile steps to match source, fix broken Security Events formatting

* [Use Cases] Extract Turnstile widget creation partial, add procedure evaluation rule to skill

* [Use Cases] Extract bot score baseline rules partial, add bot analytics tabs

* [Use Cases] Add contextual explanations to bot score baseline rules partial

* [Use Cases] Add consumer comments to partials for dependency tracking

* [Use Cases] Fix plan tier accuracy: Bot Analytics is Business+, bot score is Enterprise-only, separate score 1 from 2-29 categories

* [Use Cases] Fix Turnstile partial formatting (collapsed steps) and escaped comment characters

* [Use Cases] Fix escaped asterisks in MDX comments — Write tool escapes {/* */} in MDX files

* [Use Cases] Remove (guide) label — no longer needed with nested structure

* [Use Cases] Restructure: expectations before action, form protection tools before procedures, form rate limiting in forms section

* [Use Cases] Fix config guidance: Log-first on form rate limiting, exception before enforcement on custom rules

* [Use Cases] Simplify intro — cut generic opener, lead with reader's decision

* [Use Cases] Tighten H2 intros — cut justifications, keep to 1-2 sentences

* [Use Cases] Fix H3 intros — remove justifications, redundancies, repeated context

* [Use Cases] Restore Turnstile UX detail — no puzzles, invisible in Managed mode

* [Use Cases] Move Turnstile UX detail to comparison section where reader is deciding

* [Use Cases] Remove jargon (heuristics), fix em dash in bot categories

* [Use Cases] Replace inline prose em dashes with commas/parentheses

* [Use Cases] Replace tools with products when referring to Cloudflare offerings

* [Use Cases] Fix Turnstile/rate limiting — avoid calling a feature a product

* [Use Cases] Link products and features on first mention — provides product context via URL

* [Use Cases] Name products in intro, prefix features with product name, group related resources by product

* [Use Cases] Add WAF prefix to Security Events on first mention in Verify section

* [Use Cases] Link products and features on first mention per section — Bot analytics, Bot Management, BFM, SBFM in Verify

* [Use Cases] Spell out WAF on first mention in page intro

* [Use Cases] Add WAF to comparison heading — both sides need equal context

* [Use Cases] Add product prefix to all feature headings — WAF custom rules, rate limiting, Security Events

* [Use Cases] Add WAF prefix to H2 heading — Target bot patterns with WAF custom rules

* [Use Cases] Add WAF prefix to meta description for product context and SEO

* [Use Cases] Fix WAF naming — long form first, abbreviation in parentheses

* [Use Cases] Add domain selection context — settings are per-domain, select domain first

* [Use Cases] Fix Free plan path for security events — Security > Analytics > Events tab

* [Use Cases] Add Turnstile nav path — account-level under Application security

* [Use Cases] Fix scope — most settings per domain, Turnstile at account level

* [Use Cases] Remove exception preview from intro — Turnstile section handles itself

* [Use Cases] Fix dashboard paths, style issues, and outcome-oriented headings

* [Use Cases] Move plan callouts before gated content, cut promotional Turnstile callout, fix outcome-oriented headings

* [Use Cases] Complete custom rule creation workflow with verified UI steps

* [Use Cases] Rename WAF to Application Security, restore outcome-oriented headings, drop WAF product prefix

* [Use Cases] Fix H2 scope — section covers custom rules and rate limiting

* [Use Cases] Move Enterprise-only content (bot score, alerts) to callouts — guide targets Free/Pro/Business

* [Use Cases] Add Application Security product name on first feature mention per H2 section

* [Use Cases] Rephrase Security Events intro to avoid double Security

* [Use Cases] Update title and sidebar label — outcome-oriented with plan tier

* [Use Cases] Consolidate custom rule creation — navigate once, create both rules

* [Use Cases] Move escalation step into procedure — step 7 review and change action

* [Use Cases] Move custom rule plan note before procedures — reader needs this before creating rules

* [Use Cases] Rewrite rate limiting section with concrete dashboard steps matching custom rules pattern

* [Use Cases] Revise Tune section — remove redundant Scenario 1, concrete steps for remaining scenarios, remove alerts section, evaluation order to note

* [Use Cases] Fix scenario count (two not three) and tighten intro

* [Use Cases] Add context to Scenario 2 — explain why single-signal rules miss some bots

* [Use Cases] Address Pedro's feedback: fix BFM limitations, plan framing, callout consolidation, remove IP Access rules, remove consumed-by comments, remove opencode files

* Restore opencode.jsonc to production state

* [Use Cases] Soften bot claims to match source docs — 'quite certain' not 'definitely', remove 'always allow'

* [Use Cases] Soften 4 certainty claims to match source docs — prevents→challenges, always→typically, every→requests acted on

* [Use Cases] Apply certainty rules — fix BFM plan claim, soften traffic patterns, rate limiting, bot score language

* [Use Cases] Align BFM framing with source docs — single list of characteristics, remove Limitations heading, match source language

* [Use Cases] Align feature descriptions with source docs — remove unsourced behavior claims, match source language

* [Use Cases] Simplify SBFM to one sentence + link, remove thin feature descriptions

* [Use Cases] Reframe rate limiting thresholds as examples from source docs, not prescriptions

* [Use Cases] Remove all unsourced timeframes (24-48 hours) — creates false SLA and performance perception

* [Use Cases] Fix Log action — Enterprise only, replace with Managed Challenge for Free/Pro/Business target audience

* [Use Cases] Remove prescriptive action recommendations, add plan tier verification rule to skill

* [Use Cases] Integrate BFM disable into prose, reduce to 2 callouts, match source Tunnel warning language

* [Use Cases] Add inline rate limiting procedure for form endpoints — consistent with other sections

* [Use Cases] Add plan callout for rate limiting periods — 1 minute requires Pro+, Free has 10s only

* [Use Cases] Fix rate limiting actions — Managed Challenge is Pro+, Free only has Block

* [Use Cases] Simplify rate limiting plan callout — only state what source docs confirm

* [Use Cases] Fix counting expression UI label to match source docs

* [Use Cases] Align settings table with source docs — add examples, bot score label, WordPress row

* [Use Cases] Replace duplicated settings table with link to source — solution guides do not duplicate source content

* [Use Cases] Match Turnstile placeholder format to source docs (hyphens not underscores)

* [Use Cases] Revert to docs-style placeholder convention — style guide consistency over source doc divergence

* [Use Cases] Consolidate two plan callouts into one, reduce wall of text before procedure

* [Use Cases] Move SBFM link after callouts — reader sees plan and Tunnel warnings before clicking through

* [Use Cases] Fix Security Events — only Sampled logs available on Free, other sections vary by plan

* [Use Cases] Fix Skip action label — 'All Super Bot Fight Mode rules' per source docs

* [Use Cases] Replace accept-language expression — missing value behavior makes it unreliable, use verified fields

* [Use Cases] Replace unverified user_agent expressions with source-verified fields (cf.client.bot, method, path)

* [Use Cases] Replace inline nav paths with DashButton deep links, add DashButton convention to skill

* Update src/content/docs/use-cases/application-security/bots/stop-malicious-bots.mdx

Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com>

* Update src/content/docs/use-cases/application-security/bots/stop-malicious-bots.mdx

Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com>

* Update src/content/docs/use-cases/application-security/bots/stop-malicious-bots.mdx

Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com>

* Update src/content/docs/use-cases/application-security/bots/stop-malicious-bots.mdx

Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com>

* Update src/content/docs/use-cases/application-security/bots/stop-malicious-bots.mdx

Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com>

* [Use Cases] Address David Tofan feedback — Bot Management signals, custom rules description, verified bots links, allowlisting guidance

* [Use Cases] Add challenge solve rate (CSR) as rule effectiveness signal per David Tofan feedback

* [Use Cases] Soften CSR claim — 'likely indicates' per David's framing

* Update src/content/docs/use-cases/application-security/bots/stop-malicious-bots.mdx

Co-authored-by: Caley Burton <caley@cloudflare.com>

* [Use Cases] Address Caley's feedback — add product metadata, form examples, H4 steps, fix heading and wording

---------

Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com>
Co-authored-by: Caley Burton <caley@cloudflare.com>

Author: 3 people

src/content/docs/bots/get-started/bot-fight-mode.mdx

@@ -41,29 +41,7 @@ Bot Fight Mode is a simple, free product that helps detect and mitigate bot traf
 
 To start using Bot Fight Mode:
 
-{/* prettier-ignore-start */}
-
-<Tabs syncKey="dashNewNav">
-    <TabItem label="New dashboard" icon="rocket">
-        <Steps>
-          1. In the Cloudflare dashboard, go to the **Security Settings** page.
-
-              <DashButton url="/?to=/:account/:zone/security/settings" />
-          2. Filter by **Bot traffic**.
-          3. Go to **Bot Fight Mode**.
-          4. Turn **Bot Fight Mode** on.
-        </Steps>
-    </TabItem>
-    <TabItem label="Old dashboard">
-        <Steps>
-         1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
-         2. Go to **Security** > **Bots**.
-         3. For **Bot Fight Mode**, select **On**.
-        </Steps>
-    </TabItem>
-</Tabs>
-
-{/* prettier-ignore-end */}
+<Render file="enable-bfm" product="bots" />
 
 <Render file="sbfm-upgrade" product="bots" />
 

src/content/docs/turnstile/get-started/widget-management/dashboard.mdx

@@ -2,30 +2,17 @@
 title: Create and manage widgets using the Cloudflare dashboard
 pcx_content_type: how-to
 sidebar:
-    order: 1
-    label: Cloudflare dashboard
+  order: 1
+  label: Cloudflare dashboard
 ---
 
-import { Steps, DashButton } from "~/components";
-
+import { Render } from "~/components";
 
 The Cloudflare dashboard provides a user-friendly interface for creating and managing widgets.
 
 ## Create a widget
 
-<Steps>
-    1. In the Cloudflare dashboard, go to the **Turnstile** page.
-    
-        <DashButton url="/?to=/:account/turnstile" />
-    2. Select **Add widget**.
-    3. Fill out the required information:
-        - **Widget name**: A descriptive name for your widget.
-        - **Hostname management**: Domains where the widget will be used.
-        - **Widget mode**: Choose from Managed, Non-Interactive, or Invisible.
-    4. (Optional) Configure **Pre-clearance support** for single-page applications.
-    5. Select **Create** to save your widget.
-    6. Copy your sitekey and secret key, and store the secret key securely.
-</Steps>
+<Render file="create-widget-dashboard" product="turnstile" />
 
 ## Manage existing widgets
 

src/content/docs/use-cases/application-security/block-attacks.mdx

@@ -29,3 +29,5 @@ Limit request rates based on flexible matching criteria. [Learn more about rate
 1. [Deploy WAF managed rulesets](/waf/managed-rules/deploy-zone-dashboard/)
 2. [Create custom rules](/waf/custom-rules/create-dashboard/)
 3. [Configure rate limiting rules](/waf/rate-limiting-rules/create-zone-dashboard/)
+
+For custom rules and rate limiting patterns specific to bot traffic, refer to [Stop malicious bots while allowing legitimate traffic (Free, Pro, and Business)](/use-cases/application-security/bots/stop-malicious-bots/).

src/content/docs/use-cases/application-security/bots.mdx

@@ -0,0 +1,43 @@
+---
+pcx_content_type: how-to
+title: Stop malicious bots
+description: Detect and block automated threats while allowing legitimate traffic.
+products:
+  - waf
+  - bots
+  - turnstile
+sidebar:
+  order: 4
+---
+
+Malicious bots perform credential stuffing, content scraping, and inventory hoarding. Cloudflare provides multiple tools to detect and block automated threats while allowing legitimate bots like search engine crawlers.
+
+For a step-by-step workflow that combines these tools into a layered defense, refer to [Stop malicious bots while allowing legitimate traffic](/use-cases/application-security/bots/stop-malicious-bots/).
+
+## Solutions
+
+### Bot Fight Mode
+
+Baseline bot protection available on all plans, including Free. Challenges requests that match known bot patterns. [Learn more about Bot Fight Mode](/bots/get-started/bot-fight-mode/).
+
+### Super Bot Fight Mode
+
+Granular bot controls for Pro plans and above. Allows verified bots, configures per-category actions, and extends protection to static resources. [Learn more about Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/).
+
+### Bot Management
+
+Machine learning-powered bot detection for Enterprise with granular signal detections. Assigns a bot score from 1 (bot) to 99 (human) to every request, along with additional signals for more precise and customizable security rules. [Learn more about Bot Management](/bots/).
+
+### Turnstile
+
+Privacy-preserving challenge for forms and user interactions. Available on all plans at no cost. [Learn more about Turnstile](/turnstile/).
+
+### WAF custom rules
+
+Targeted rules that act on traffic signals including headers, request patterns, and [bot management variables](/bots/reference/bot-management-variables/). Available on all plans. [Learn more about custom rules](/waf/custom-rules/).
+
+## Get started
+
+1. [Stop malicious bots while allowing legitimate traffic](/use-cases/application-security/bots/stop-malicious-bots/) — layered defense guide covering all products above
+2. [Enable Bot Fight Mode](/bots/get-started/bot-fight-mode/) — quickest single step (Free plan)
+3. [Add Turnstile to forms](/turnstile/get-started/) — protect login and signup forms