Allowlisting LoadBolt traffic

If your WAF, CDN, or rate limiter is blocking test traffic, here's how to let LoadBolt through.

How to identify LoadBolt traffic

Every request from a LoadBolt test includes two identifiers you can match on:

User-AgentLoadBolt/1.0 (loadbolt.dev)

Source IPSingle static IP from our NAT Gateway (shown in your Slack notification when a test starts)

The User-Agent is the easiest to match on — it's the same for every test, every plan, every user. The IP is static but could change if we migrate infrastructure, so User-Agent is the more future-proof option.

Cloudflare

Go to Security → WAF → Custom rules and create a new rule:

Field:       User Agent
Operator:    contains
Value:       LoadBolt/1.0
Action:      Skip (all remaining custom rules)

If you're using Cloudflare's rate limiting, create a separate rate limiting rule with the same User-Agent condition and set it to “Skip” or raise the threshold for matching requests.

AWS WAF

Add a rule to your Web ACL that matches on the User-Agent header:

{
  "Name": "AllowLoadBolt",
  "Priority": 0,
  "Statement": {
    "ByteMatchStatement": {
      "SearchString": "LoadBolt/1.0",
      "FieldToMatch": {
        "SingleHeader": { "Name": "user-agent" }
      },
      "PositionalConstraint": "CONTAINS",
      "TextTransformations": [
        { "Priority": 0, "Type": "NONE" }
      ]
    }
  },
  "Action": { "Allow": {} }
}

Make sure this rule has a higher priority (lower number) than your rate-limiting or bot-detection rules.

Nginx

If you're using Nginx rate limiting, you can skip the limit for LoadBolt traffic by mapping on the User-Agent:

# Empty key = skip rate limiting for LoadBolt traffic
map $http_user_agent $limit_key {
    default              $binary_remote_addr;
    "~LoadBolt/1.0"     "";
}

limit_req_zone $limit_key zone=api:10m rate=10r/s;

server {
    location /api/ {
        limit_req zone=api burst=20 nodelay;
        proxy_pass http://backend;
    }
}

Other tools

For any WAF, CDN, or rate limiter — look for a way to create a rule that matches requests where the User-Agent header contains LoadBolt/1.0 and either skip rate limiting or allow the request through. Most tools support header-based rules.

If your tool supports IP-based allowlisting, you can also allowlist the source IP shown in the Slack notification when your test starts running. Just keep in mind the IP could change if we move infrastructure — User-Agent matching is more reliable long-term.

Still seeing errors?

A few things to check:

Make sure your allowlist rule has higher priority than your blocking rules
Check if your CDN has a separate bot-detection layer (e.g. Cloudflare Bot Management) that needs its own exception
If you're behind multiple layers (CDN + WAF + app-level rate limiting), you may need to allowlist at each layer
Look at the error breakdown in your test results — 403 usually means WAF, 429 means rate limiting

Back to dashboard