Allow Under Attack Mode to Overide Security Level Page Rules


I would like to request that Under Attack Mode be set to override any Security Level settings in Page Rules. Even if there was just an optional “Override Security Level in Page Rules” checkbox when enabling Under Attack Mode it would go a long way to ensuring that Under Attack Mode is effective.


We have a Page Rule that sets our website login page and backend pages to “Security Level: High”. Today during a DDoS attack I enabled Under Attack Mode and noticed that a huge number of DDoS requests directed at our login page were still reaching the server. It turns out that “Security Level: High” effectively disables Under Attack Mode for the pages it is applying to. This makes sense as “I’m Under Attack” is basically just another Security Level that is overridden by the Security Level setting in the Page Rule. However, it is pretty counter-intuitive that trying to heighten security for part of your website with a page rule effectively breaks DDoS mitigation for those pages. As a temporary solution we have changed the Page Rule to set “Security Level: I’m Under Attack” which fixed the problem; we will experiment with leaving it this way even after the attack is over and we have disabled Under Attack Mode. If that works out we will consider rolling out the amended Page Rule to the hundreds of other CF customers that we support.

I was thinking of lodging this as a bug but the way it currently works is logical and probably as intended, it just leads to the problematic outcome of almost completely undermining the efficacy of Under Attack Mode for sites using Security Level Page Rules.

+1 Great suggestion.

I’ve always considered this from the perspective of my site, where I can always reach to the Page Rules tab and change the settings for the few sites I manage, but of course if one is facing a situation involving multiple websites it would be very convenient to just toggle a “Override Page Rules” kind of setting.

Agreed. That “Under Attack Mode” toggle in the Overview screen should act like a big red BASE LOCKDOWN type button. Hit that and everything goes into maximum security. It may slow down all visitors and break your apps, but it should help prevent a server meltdown.