One of the local ISPs seems to be providing data plan user with some bad IP addresses, which are getting recaptcha response from our Cloudflare. This is ok for web applications, but our mobile applications, which are using the same API, aren’t able to pass through.
Our first try at this is to add a special header to all mobile app requests and create a firewall rule in Cloudflare to “Allow” these request. We created one, it’s at the top of the rules list, and we see that it’s set correctly, because it’s showing a large number of requests on the count next to the Firewall rule definition.
However, the apps are still getting the 403 error from Cloudflare. The response is a full HTML page, containing a string “Please complete the security check to access [website_url]”.
Any suggestions on how to approach this problem?