403 Error with WAF "Managed Challenge" on all pages


lately my servers got attacked. Those attacks also reached my origin servers, because Cloudflare was not able to see the difference between real users and those Bot users (Botnet, different user-agents, different IPs).

To fix the problem, I was required to enable those Managed Challenge on all pages (“Under Attack” mode did pretty much nothing). With that WAF rule the attack stopped, but my real users received empty pages without CSS, JS, etc.
The rule is just (http.request.full_uri contains '[MY URL]") than “Managed Challenge”

The issue seems that Cloudflare asks every time for a “Challenge” for some CSS, Media, JS, etc. even though the user finished the Challenge on the requested DOC.


When I now double-click on for example “video-bg3.png”, it opens it up again, asks for challenge – after doing the challenge I can see the resource. When I then close it, and again double-click on it, it AGAIN asks for the challenge.

It’s obvious that no page will load correctly, when Cloudflare asks for a challenge on every resource, every time.
When disabling the WAF Rule, everything works correctly – It’s not my origin servers making the issues.

(Using OperaGX browser)

Anyone any solutions what to-do?

Can you share the URL of your site?

Consider checking these guides:

1 Like

Unfortunately, I’m not allowed to share the Domain. But for example Chrome browser or IOS Safari it works correctly.

Could it be a problem from Opera GX itself?
Thank you for your incredibly fast answer. That’s just INSANE!

1 Like

Opera GX might not be sending the challenge cookies to the paths you posted; if that’s the case, visitors will face another managed challenge and thus causing website malfunction.

If that’s the case, a “quick” fix (if that’s the case) is following the first guide I sent and challenging only the malicious requests.

1 Like

Yes, you’re fully right. I compared the Network data things on Opera GX to Chrome. And on chrome in the cookies-header there is this “cf_clearance=****” while on Opera GX it’s fully missing.

I will check out your guides.
Thank you!

1 Like

I made some checks and i figured out that Opera blocked the Set-Bookie header for this reason:

Whole site and media are all HTTP (not SSL)
But in chrome or firefox it’s working correctly and the set-cookie header don’t get blocked.

Also there are no cookies set at all, so it could not have overwritten a cookie

Is the “VPN” feature being enabled and used in that Opera Web browser? :thinking: