Ability to select if Cloudflare returns a 403 or 404

My site is subject to Qualys PCI scan every 3 months. Since using Cloudflare proxy dns in June of 2023, I’m not having any problems passing the scans. But with a scan I had done yesterday, which passed OK, I did see a list of directories which the PCI scan thought might be on my server. None of the directories it listed are. These were directories like:
/repository/.hg/
/application/.hg/
/__MACOSX/.hg
/dev/.git
And a long list of others. Curious, I tried accessing these supposedly existing directories and see that I am getting Cloudflare’s “You are blocked” pages which are returning a 403. With the definition of a 403 being that the resource exists but your access is forbidden, the PCI scan lists these directories as probably existing.
Is there a way for Cloudlfare to return a 404 instead?
Not a big issue, just curious.

I’ve never seen that definition of a 403. That request was blocked before there was an opportunity to see if the resource existed.

If something is getting a 403 with a Cloudflare Block page, you’ll need to look through the Firewall Events log to see why it was blocked:

I guess the correct definition is “the server understands the request but refuses to authorize it”.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.