I have been seeing
?__cf_chl_jschl_tk__= attached as query string attached to the URL. My understanding is that Cloudflare attached this after a user passes a challenge — no issue there.
But I don’t understand why some of those requests are sent as POST instead of GET. The URLs they are trying to access is available as GET only. So does CF change the request to POST when a user has completed a challenge, or did the user tries to access the URL via POST? There are a few instances of this and I can’t figure out why they are visiting the site as a POST request (besides potentially malicious reasons originating from the user)
So I’d just like to confirm with you that you don’t change the http method after challenge is completed.