We’ve enabled attack mode a number of times over the past few years to mitigate bad behavior bots crawling our site. This has worked 100% of the time each time we’ve needed to use it.
Today we had the same problem. However enabling attack mode now causes client browsers to get HTTP 503 errors on the cached resources. ONLY on the cached resources: style sheets, js files and images. Everything else comes through HTTP 200.
We’ve never seen this behavior before. Has the feature changed since we last used it back in Jan 2020? Is there something else we’re supposed to be doing now?
If you paste the URL of one of those cached files into your browser, do you still get the 503? And does it look like the Cloudflare-branded 503 error screen?
Good question - didn’t even think to give that a try to narrow down the source.
This morning, attack mode is working again - no 503 errors. However it is triggering on every single page hit. Usually it fires just once and then the browser is whitelisted for a time. Not today. Inconvenient but at least the site is up for now.
If we see it again I’ll follow your suggestion and report results back to here. Thanks again.