API and website protection

There is a website www.domain.com and API api.domain.com on the same domain and only the subdomain differs. There are protection rules enabled to protect the website. It works well for the website but it also blocks API endpoints when it is called not from the browser. What could be the solutions to solve this issue?

1 Like

If one of your own WAF rules is affecting the API, you can add a hostname to the rule to control which ones it applies to.

If some of the Cloudflare features are affecting the API subdomain, you can either:

  • use a WAF rule to skip those checks
  • use configuration rules to turn Cloudflare features on/off based on the request (such as the hostname)
1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.