API traffic is not recognized as API traffic


we provide java applications, which communicate via HTTPS-API (POST only) with our Web-Services. Unfortunately, thoses requests are not recognized as API-Traffic in Cloudflare. Also, the firewall spins up browser-integrity-checks for each connection. What Headers / User-Agents are necessary, to

  1. let CF recognize the traffic as API-traffic
  2. reduce or disable the browser-integrity-check for those requests?

Currently i disabled the browser-integrity-check for the whole domain, what is for me bad practice.

Here is a Screenshot of a blocked request:

Thanks in advance guys :smiley:

And here is a screenshot of the empty API-traffic:

Have you tried a page rule already, which disables the relevant security features? Is it always the same IP addresses?

Hey, yeah i tried that. The problem is more like, that a page rule is for a whole page, so it wont make a change - or did i miss something? I want the other traffic, which is not API-related, to be checked of course. I cannot gurantee, that our clients all have static ip-adresses :frowning: Here in germany, the internet providers change them from time to time.

Well, you censored almost everything, so it’s impossible to provide proper advice :wink:

Post an example of an API and a non-API URL.

The URL is always the same. We specify within the POST-fields, what the API does or what data is send.

like www.example.org with the following body:

action : update-user
user_id : 5
forename : louis
name : spieckerhoff

In that case it is impossible to distinguish requests and you can’t use a page rule.

What you could do is use a custom user agent for your API requests and use a firewall rule to exclude such requests from the security checks. Of course anybody who sends the same user agent would also skip them.

The best approach would probably be to really have the API on a dedicated hostname.

Our hosts are dedicated. What changes, is the ip of the clients / java applications, just to make sure you understand right.

Thanks for your answers so far :smiley:

I was not referring to hosts, I was talking about your hostname.

As already mentioned, the best approach will be to keep this on different hostnames. Everything else would be a workaround.

We are using a subdomain for each java-application

Then it’s not the same URL.

yeah we got like 90 subdomains all together on 5 different 2nd level domains. To each of them, a single java-application and multitple users via browser and app communicate. The problem occurs on all of them :frowning:

Then here we go again.

What a user types in to access the web-service: https://lic13012.planzeit-service.de
What the java-application uses to access the web-service/api: https://lic13012.planzeit-service.de

So its the same :smiley:

All right, but then you do not have different hostnames for the API.

Suggestion still applies :wink:

How do you distinguish between a regular request and an API request on your webserver?

We distinguish via the post fields / combination of them, which are sent. Probably not a widespread technique :smiley:

What you could do in that case is setting up such a firewall rule.

Of course this will apply to every POST request.

Looks good. I would filter for the User-Agent - didnt see that i can bypass a single feature :frowning:
I guess thats a good starting point. Thank you very much @sandro !

My rule looks like this now:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.