400 error returned from Cloudflare

jstafford · 2018-05-16 22:09:16 UTC

At some point in the last few days, AJAX posts generated from iPhone posted to my Heroku app seem to be being rejected by Cloudflare. I’m getting a 400 error: Failed to load resource: the server responded with a status of 400 ()

This does NOT happen on desktop - only iPhone, from both Safari and Chrome browsers. I don’t have Android to test.

This post does NOT make it to the Heroku server. It’s rejected at Cloudflare and the response below is returned to the browser. There is literally zero useful information.

Please help - our app is effectively down, and there’s nobody to call at Cloudflare! Cloudflare response below:

Summary
URL: URLhidden/path.json
Status: 400
Source: Network
Address: HIDDEN

Request
:method: POST
:scheme: https
:authority: URLhidden dot com (thanks for this stupid rule, Cloudflare)
:path: /path.json
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywfKELRjHRSGIij7z
Origin: URLhidden dot com
Host: URLhidden dot com
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, /; q=0.01
Connection: keep-alive
Accept-Encoding: br, gzip, deflate
Accept-Language: en-us
DNT: 1
Cookie: HIDDEN
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
Referer: URLhidden dot com/path
Content-Length: 2276122
X-Requested-With: XMLHttpRequest
X-CSRF-Token: HIDDEN

Response
:status: 400
Content-Type: text/html
Date: Wed, 16 May 2018 21:55:07 GMT
Server: cloudflare
Content-Length: 171
cf-ray: 41c1162b3c095891-DFW

Request Data
MIME Type: multipart/form-data
Boundary: ----WebKitFormBoundarywfKELRjHRSGIij7z
Request Data:

cscharff · 2018-05-17 02:33:08 UTC

This is almost certainly being returned from the origin or something on the Heroku network. There are a number of documented instances on the Heroku site that cause cause a 400 error.

https://help.heroku.com/TQ80D553/why-do-i-get-a-400-bad-request-response-when-i-have-large-cookies

I apologize that Heroku didn’t return any useful information for us to pass along.

jstafford · 2018-05-17 02:40:35 UTC

@cscharff thanks for the reply. Three reasons I don’t think this is coming from Heroku:

I watch the logs and absolutely nothing hits their server. It doesn’t even blink.
The response clearly says it’s from Cloudflare:

:status: 400
Content-Type: text/html
Date: Thu, 17 May 2018 01:17:56 GMT
Server: cloudflare
Content-Length: 171
cf-ray: 41c23f391c67262f-DFW```
3.  The formatted response is also clearly marked Cloudflare: 
```<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>cloudflare</center>
</body>
</html>```

cscharff · 2018-05-17 03:00:55 UTC

Are you watching the heroku router logs?

If there’s nothing there you may want to open a support ticket this the redacted bits included, there’s not enough info there to hazard a guess but the odds it is an origin issue are still extremely high.

jstafford · 2018-05-17 03:04:52 UTC

@cscharff - yes, I see the page load in the logs, but the form submit does not show up at all. In the browser, there are no CORS errors (and usually browsers are not shy about displaying CORS errors). It’s like the request hits Cloudflare and gets rejected for some reason and fails silently. I found this on the Cloudflare site, which sounds about right, but I don’t see anything to indicate the request is malformed (works from desktop/Chrome):

400 Bad Request  (RFC7231)

Server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

system · 2018-05-30 22:17:45 UTC

This topic was automatically closed after 14 days. New replies are no longer allowed.