TLDR
I would like to request that Under Attack Mode be set to override any Security Level settings in Page Rules. Even if there was just an optional “Override Security Level in Page Rules” checkbox when enabling Under Attack Mode it would go a long way to ensuring that Under Attack Mode is effective.
Context
We have a Page Rule that sets our website login page and backend pages to “Security Level: High”. Today during a DDoS attack I enabled Under Attack Mode and noticed that a huge number of DDoS requests directed at our login page were still reaching the server. It turns out that “Security Level: High” effectively disables Under Attack Mode for the pages it is applying to. This makes sense as “I’m Under Attack” is basically just another Security Level that is overridden by the Security Level setting in the Page Rule. However, it is pretty counter-intuitive that trying to heighten security for part of your website with a page rule effectively breaks DDoS mitigation for those pages. As a temporary solution we have changed the Page Rule to set “Security Level: I’m Under Attack” which fixed the problem; we will experiment with leaving it this way even after the attack is over and we have disabled Under Attack Mode. If that works out we will consider rolling out the amended Page Rule to the hundreds of other CF customers that we support.
I was thinking of lodging this as a bug but the way it currently works is logical and probably as intended, it just leads to the problematic outcome of almost completely undermining the efficacy of Under Attack Mode for sites using Security Level Page Rules.