Hello.
I’m facing an issue and would be really appreciate for your help.
Problem:
api requests are not blocked using under attack mode (getting 200 status). Passage challenge is being set up to 5 minutes, so after 5 minutes I get 403 and 503 response statuses on every request except ajax requests. I have no whitelists being set and only have 1 page rule which is not related to ajax.
About WAF rules: after challenge passage I must be issued a new JS challenge, but instead got 403 and 503 statuses which is explained by documentation which states next:
JS Challenge actions only support HTML requests. When an XHR or AJAX request triggers one of the Legacy CAPTCHA actions, the resulting request will have the following status code:
HTTP status code 403 for Legacy CAPTCHA
HTTP status code 503 for JS Challenge
This is the exactly the behaviour I get except api requests. I always get 200 status despite being in under attack mode and challenge passage timeout expires. I tried every WAF action and none helped me (always getting 200 status), except “Block” action.
Summary: when “Under attack mode” is enabled and challenge passage time is expired all of my requests get 403 and 503 statuses except ajax api requests (but should get 403 or 503 as well depends on selected WAF action, according to CF documentation)
