Theme CLI dev server returns 429 on cart requests (bot mitigation false positive)

[stephanie-shopify]

tldr

people using the CLI are getting erroneously flagged as bots, particularly on cart requests.

Summary

Merchants using theme dev are getting 429s on cart Ajax requests (/cart.js, /cart/add, /cart/update.js, etc.), causing storefront JS to break when it receives an HTML
  challenge page instead of JSON.

 Root cause:
 Cloudflare's heuristic bot classifier is scoring CLI proxy requests as BotScore=1 (definite bot) Cart requests are the most affected because they deliberately omit the Bearer token — sending it would cause SFR to use token auth, which lacks cart scopes and breaks cart functionality Without the Bearer token, Cloudflare has no signal to identify these as legitimate CLI traffic, so they get flagged

 impact of problem (last 24h):
 41k 429 events on  468 unique developer IPs affected

 Current status:
 - Non-cart CLI requests are largely fine — Bearer token gives Cloudflare something to work with
 - Cart/checkout/account are the gap — they can't carry a Bearer token
 - We need a reliable exemption signal for these paths
 - Header-based approaches (e.g. custom X-Shopify-CLI header) are spoofable and not viable alone

• Session cookies on cart requests are Shopify-issued and a potential candidate
  Reproduced on latest CLI version.

Merchant report (verbatim)

Actual behavior:

POST http://127.0.0.1:9292/cart/add.js 429 (Too Many Requests)
SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
Uncaught TypeError: Cannot read properties of null (reading 'body')

Reproduction steps: Click "Add to Cart" a few times rapidly.

Environment: Mac OS Tahoe, CLI 3.88, Node 22.21.1

more recent report: https://community.shopify.dev/t/cli-theme-dev-cart-ajax-401/28826/48?u=josh-shopify

[stephanie-shopify]

log analysis was weird. deleted

[stephanie-shopify]

429 events https://observe.shopify.io/a/observe/investigate/query/34150ded-10e0-4073-83e6-24024661ad54

[stephanie-shopify]

Investigation Update — 2026-03-05

Summary

The 429s are caused by Cloudflare's heuristic bot classifier scoring CLI proxy requests as BotScore=1 (definite bot). This is a multi-signal problem — not a single missing header. The original hypothesis (cart requests missing CLI User-Agent / bearer token) was incorrect.

---

Confirmed: Block is at Cloudflare, before SFR

Partner verbose logs from today (2026-03-05T11:39 UTC) show request_id: null on every 429 — SFR sets the request ID, so null confirms the request never reached SFR. Cloudflare is blocking entirely at the edge.

---

Root cause: CLI proxy requests are fingerprinted as bots

We ran two Observe edge log queries over the last hour, comparing CLI vs browser traffic on cart endpoints across all of myshopify.com:

Query 1 — CLI requests on cart endpoints:

{
  "datasets": ["edge"],
  "filters": [
    {"column": "ZoneName", "op": "=", "value": "myshopify.com"},
    {"column": "ClientRequestUserAgent", "op": "contains", "value": "Shopify CLI"},
    {"column": "ClientRequestURI", "op": "contains", "value": "cart"}
  ],
  "breakdowns": ["ClientRequestProtocol", "BotScoreSrc"],
  "calculations": [{"op": "COUNT"}, {"op": "P50", "column": "BotScore"}]
}

Query 2 — Browser requests on cart endpoints (baseline):

{
  "datasets": ["edge"],
  "filters": [
    {"column": "ZoneName", "op": "=", "value": "myshopify.com"},
    {"column": "ClientRequestUserAgent", "op": "contains", "value": "Mozilla"},
    {"column": "ClientRequestUserAgent", "op": "does-not-contain", "value": "Shopify CLI"},
    {"column": "ClientRequestURI", "op": "contains", "value": "cart"}
  ],
  "breakdowns": ["ClientRequestProtocol", "BotScoreSrc"],
  "calculations": [{"op": "COUNT"}, {"op": "P50", "column": "BotScore"}]
}

Results:

Population	Protocol	BotScoreSrc	Median BotScore
CLI (Shopify CLI UA)	HTTP/1.1	Heuristics	1
CLI (Shopify CLI UA)	HTTP/1.1	Machine Learning	22
Browsers (Mozilla UA)	HTTP/3	Machine Learning	97
Browsers (Mozilla UA)	HTTP/2	Machine Learning	96
Browsers (Mozilla UA)	HTTP/1.1	Machine Learning	97

Key findings:

• 100% of CLI requests use HTTP/1.1. Zero HTTP/2 or HTTP/3.
• CLI requests scored by Heuristics get BotScore=1 — Cloudflare's maximum bot confidence.
• The Cloudflare rule firing is "Rate limit Cart API requests based on SFR-emitted complexity score" — confirmed separately by the SFR/edge team in this Slack thread.

We also located an active affected dev session at 88657a-f5.myshopify.com during the partner's reported timestamp window, with 240 CLI 429 events all on GET /cart.js?_fd=0&pb=0 in a 4-minute window, all HTTP/1.1, BotScore=1.

---

Why CLI requests are HTTP/1.1

The proxy (proxy.ts) uses Node.js global fetch, which is backed by undici — an HTTP/1.1-only client. This was not a deliberate design choice; it is simply the default of every HTTP client available in the CLI. Neither node-fetch (used in the cli-kit shopifyFetch wrapper) nor the global fetch support HTTP/2. There is no HTTP/2-capable library anywhere in the CLI dependency tree.

The proxy uses global fetch rather than shopifyFetch specifically because it needs duplex: 'half' for streaming request bodies (e.g. POST /cart/add.js) and redirect: 'manual' for intercepting 3xx responses — neither of which is cleanly supported through the cli-kit wrapper.

---

Other bot signals (beyond HTTP/1.1)

Even if HTTP/2 were available, CLI requests have several additional characteristics that distinguish them from browser traffic:

1. TLS/ALPN fingerprint — Node.js's OpenSSL TLS stack advertises only http/1.1 in ALPN, uses different cipher suites and extensions than browser TLS (BoringSSL/NSS). Cloudflare's JA4 fingerprinting likely treats this as a strong bot signal independent of the UA string.

2. _fd=0&pb=0 on every request — the proxy appends these query params to every outbound request (proxy.ts:338-339). No real browser session does this. It's a distinctive fingerprint visible at the Cloudflare layer.

3. CLI User-Agent is intentional but bot-like to Cloudflare — Shopify CLI; v=X.Y.Z correctly identifies the traffic to SFR, but Cloudflare's heuristics see a non-browser UA and flag it accordingly.

4. Burst request pattern on file save — hot reload triggers SFR section re-renders on every save (hot-reload/server.ts:281), generating rapid bursts of requests from a single IP.

5. Missing browser headers — upgrade-insecure-requests is explicitly deleted (proxy.ts:304); Accept-Encoding and Sec-Fetch-* headers may be absent. Real browsers always send these.

---

This issue is broader than cart

The partner's verbose logs also show 429s on SFR rendering requests (/products/...?_fd=0&pb=0, /?_fd=0&pb=0&section_id=...) — not just cart endpoints. The bot classification affects all CLI proxy traffic, not just cart. Cart is the most visible because cart JS libraries like liquid-ajax-cart break loudly when they get an HTML 429 response instead of JSON.

---

Related context

Gabriel Queiroz from the SFR/edge team confirmed in Slack that CLI requests are being classified as bot/converting. He was looking for a reliable identifier to build an exemption rule. The CLI User-Agent string was suggested, but this investigation confirms the bot classification is coming from Cloudflare's Heuristics engine, likely keyed on the TLS fingerprint and HTTP/1.1 protocol — signals that can't be overridden by a header value alone.

PR #6839 (CLI 3.91) fixes a separate issue (401s on cart from a Bearer token regression in 3.89) and does not address this bot classification problem.

---

Open questions

1. Would switching to HTTP/2 fix the bot score, or would the Node.js TLS fingerprint still be flagged? This determines whether the fix belongs in the CLI networking layer or requires an edge-level exemption.
2. Can Gabriel's team add a Cloudflare exemption rule keyed on something reliable — e.g. the presence of the Bearer token, the _fd=0&pb=0 params, or a dedicated X-Shopify-CLI header — that doesn't depend on the UA string?
3. Can we instrument the CLI proxy to emit a warning or metric when it receives a 429, so this becomes visible in dashboards without merchant reports?

[stephanie-shopify]

was able to reproduce locally

Request URL http://127.0.0.1:9292/cart/add Request Method POST Status Code 429 Too Many Requests Remote Address 127.0.0.1:9292 Referrer Policy strict-origin-when-cross-origin accept-ch Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA access-control-allow-credentials true access-control-allow-origin http://127.0.0.1:9292 alt-svc h3=":443"; ma=86400 cache-control private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 cf-mitigated challenge cf-ray 9d7b7e221926cb66-SEA connection keep-alive content-type text/html; charset=UTF-8 critical-ch Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA cross-origin-embedder-policy require-corp cross-origin-opener-policy same-origin cross-origin-resource-policy same-origin date Thu, 05 Mar 2026 19:23:00 GMT expires Thu, 01 Jan 1970 00:00:01 GMT keep-alive timeout=5 nel {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} origin-agent-cluster ?1 permissions-policy accelerometer=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() referrer-policy same-origin report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BXP9wnzVhj9rwk91goSqs56OYIeYLB6binv8AsooLGnLVfXzmq%2BXDKhI7sSsELHOyxJW9Kfd%2BdiWZyavIOZxJ4xgJ6YyGfERfBtIoMrloB1kXAmawt3mGA8ray7P%2FksmdLsMdbRj85GnMCPXu%2Fk%3D"}],"group":"cf-nel","max_age":604800} server cloudflare server-timing chlray;desc="9d7b7e221926cb66", cfRequestDuration;dur=22.000074 transfer-encoding chunked vary Accept-Encoding x-content-type-options nosniff x-download-options noopen x-frame-options SAMEORIGIN x-permitted-cross-domain-policies none x-shopid , deprecation date Feb 28 2026 x-xss-protection 1; mode=block accept text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding gzip, deflate, br, zstd accept-language en-US,en;q=0.9,fr;q=0.8 cache-control max-age=0 connection keep-alive content-length 791 content-type multipart/form-data; boundary=----WebKitFormBoundaryOlAOfCsslm8BlDSP cookie localization=US; _shopify_y=3e61017c-34f5-468d-a734-cf5cc698fc66; cart_currency=USD; _shopify_s=da2224bb-edf2-43ea-ab11-cf30570bce30; _shopify_analytics=:AZwpt9B7AAEApSMp5XbJP-phnCb9IeWzTfs3zfR8923bqOKJyZZc2t4YjOb-i45H4AV3qzo3yIswV5KGrwOxnm37W7uwqJH_SyqQrN9L2TewKorszPnm5Q:; cart=hWN9VPJkT8qgYDX8AGuQuzXm%3Fkey%3D0f0a654ac4249084d61c0ef061931f55; _shopify_essential=:AZy_c4yxAAH_4uyfNIluziO3oMfcetGrTiBWbIy0malznHsipxLr9XUfKd7GRX_XN6o9NYp1RY3aWeyGmZpau1UsHRW8CymHg-bfaTHssD36yFac7lvDoczlnFWUx6MtSxfbgTOqgIw_yuRSOGR9fJmNAso_IFSszFytRcPNTTg0uIbeP5Pc6_kHWIlYdq0Ms1aUjyaj-4Q5X2j1IGdsAsxETbd0zYGCeEqBcZ2y0iHhQdTAnCtkQiRMTuQdG1YpzRag-6ZhZhLtDua0mYVnKIMtbtWie2XSd3s0MjJzpqO6fmkMmK4vDOCk9wHhqYDZifBYT31sez1ivR7plJPGCYOStedT9FfIuGjzJCIfO3UjiRy8kybu-SfWzxlf_op5NylMKDJACpb1yRweIz9S4B0ZBAKAYxHZHhP_VeieE7Ua1HWz7xBJRUzMuHRHMM-HZrC5VazbdUviCJPnH4t9nGOAU_rmk4CaD4PNhxAj_g: host 127.0.0.1:9292 origin http://127.0.0.1:9292 referer http://127.0.0.1:9292/products/baked-potato-holiday-card sec-ch-ua "Not:A-Brand";v="99", "Google Chrome";v="145", "Chromium";v="145" sec-ch-ua-mobile ?0 sec-ch-ua-platform "macOS" sec-fetch-dest document sec-fetch-mode navigate sec-fetch-site same-origin sec-fetch-user ?1 upgrade-insecure-requests 1 user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36

[stephanie-shopify]

429s over time
top affected paths
bot score breakdown