Three Mastodon issues because of Cloudflare Bot protection

Source: Dev.to

Background

I noticed that three Mastodon features had stopped working on my blog. Each seemed like a separate problem, but they shared the same root cause. Below I describe the issues and the simple fix.

Domain verification

Mastodon lets you prove that you own a domain. The mechanism requires two steps:

1. Add a “ tag in your pages, pointing to your Mastodon profile.
2. Add your website URL to your Mastodon profile.

When Mastodon crawls your page and finds the backlink, it displays a green checkmark next to your URL in your profile.

I had set this up long ago and it worked for both my blog and GitHub. Later the blog link stopped working while GitHub’s still worked.

Link preview cards

When you share a link on Mastodon, your instance crawls the page to generate a preview card. It reads the page’s OpenGraph tags (title, description, image).

My blog had all the correct tags, yet every blog post I shared appeared as a plain link with no card. Interestingly, newsletters that shared the same preview image worked correctly.

Author attribution

Mastodon 4.3 introduced author attribution. If a page contains the following meta tag, Mastodon displays a “By @author” badge when someone else shares the link—and lets their followers follow you directly from the preview:

This never worked for my blog after I added it.

Common mechanism

All three features require Mastodon’s server to crawl your page. The problem turned out to be the same for each.

Root cause: Cloudflare Bot Fight Mode

My blog runs behind Cloudflare, and I had enabled Bot Fight Mode, a feature that blocks automated traffic deemed suspicious. Services can register domains on Cloudflare to be recognized as good actors (e.g., Bluesky, Twitter).

Mastodon’s crawler runs on Hetzner infrastructure. Hetzner IP addresses carry a high threat score in Cloudflare’s database because they are popular with bot operators. When Mastodon’s crawler tried to fetch my pages, Cloudflare served a JavaScript challenge instead of the HTML. Mastodon’s http.rb client cannot solve JavaScript challenges, so it received no useful response, cached the failure, and moved on.

Fix

Turn off Bot Fight Mode:

1. Log in to the Cloudflare dashboard.
2. Navigate to Security > Bots.
3. Disable Bot Fight Mode.

Turning it off fixed all three Mastodon issues at once. For a public static blog, Bot Fight Mode offers minimal protection while actively breaking legitimate crawlers.

Further reading

• Cloudflare Tunnels and Mastodon
• Bot protection is blocking valid bots
• Understanding Mastodon Preview Card Display Logic

Originally published at A Java Geek on April 26th, 2026.