I have a Next.js (frontend of my app in React) app hosted under example domain, and a backend API hosted under api.example. Both domains are proxied through Cloudflare. Next.js sometimes needs to call api.example. The problem is that these calls to api.example.com are blocked by Bot Fight Mode. I know I can’t create a firewall rule to bypass Bot Fight Mode, so I had to disable it entirely. Is there any solution to keep Bot Fight Mode enabled and make all calls to api.example.com successful?
Was this just the regular Bot Fight Mode?
It’s always worth trying to add that next.js server’s IP address to Firewall → Tools as an Allow.
Yes, it was regular. Firewall rules seem not to affect Bot Fight Mode.
Correct, the rules won’t apply to it but the IP Access Rules (Firewall | Tools) should.