api requests are not blocked using under attack mode (getting 200 status)

I’m facing an issue and would be really appreciate for your help.

api requests are not blocked using under attack mode (getting 200 status). Passage challenge is being set up to 5 minutes, so after 5 minutes I get 403 and 503 response statuses on every request except ajax requests. I have no whitelists being set and only have 1 page rule which is not related to ajax.

About WAF rules: after challenge passage I must be issued a new JS challenge, but instead got 403 and 503 statuses which is explained by documentation which states next:

JS Challenge actions only support HTML requests. When an XHR or AJAX request triggers one of the Legacy CAPTCHA actions, the resulting request will have the following status code:

HTTP status code 403 for Legacy CAPTCHA
HTTP status code 503 for JS Challenge

This is the exactly the behaviour I get except api requests. I always get 200 status despite being in under attack mode and challenge passage timeout expires. I tried every WAF action and none helped me (always getting 200 status), except “Block” action.

Summary: when “Under attack mode” is enabled and challenge passage time is expired all of my requests get 403 and 503 statuses except ajax api requests (but should get 403 or 503 as well depends on selected WAF action, according to CF documentation)

Additional info:
What is the domain name?
https:// apptest.hotline.finance/ (without spaces, links are not allowed)

If needed:
api for curl/test:
https:// apptest.hotline.finance/api/insurance/find/cities?city={name}

For example: https:// apptest.hotline.finance/api/insurance/find/cities?city=%D0%9E%D0%B4%D0%B5%D1%81

What error message or number are you receiving?
No errors because I suppose to have errors. That is the issue

What steps have you taken to resolve the issue?

  1. tried every WAF action there is, none helped except ‘Block’ which is not what I need
  2. tried every options there is inside Page Rules

Was the site working with SSL prior to adding it to Cloudflare?

Have you tried from another browser and/or incognito mode?

Please attach a screenshot of the error:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.