Browser Integrity Check WON'T TURN OFF!

Many times when I visit my own website I’m getting the annoying Browser Integrity Check.
I have tried everything in my powers to turn this off:

  1. it is OFF by default on the Secury → Settings page
  2. I created a page rule with “Browser Integrity Check: Off”
  3. I created a WAF rule for my own IP address with the “Allow” option (I know that the rule is actually working because if I set it to “block” I am instantly getting completely blocked)
  4. Security Level is “Essentially Off”

Even with all 4 options combined, I still get the Browser Integrity Check page when I try to access my own website.
If I try to go incognito it will load fine, but once I log back in - it will show up again.

The worse part is that I have no idea if other visitors are getting this ■■■■ as well…

I WANT TO COMPLETELY 100% REMOVE THIS BROWSER INTEGRITY CHECK FROM MY WEBSITE, FOR ALL USERS.

How can I actually to do?

Do you see your requests in the firewall event log?

https://dash.cloudflare.com/?to=/:account/:zone/security

3 Likes

Actually no, I don’t see my requests in this event log… but I do see A LOT of other requests that are being blocked - 62,670 items for the last 24 hours…
All of these blocked requests are marked as the “Managed rules (new)” service, but I have completely disabled all of the managed rules on the WAF → managed rules page! all of them!

Some rules are hardcoded and can’t be disabled; this usually occurs with blatantly malicious requests that Cloudflare sees across the network.
What legitimate requests are you seeing blocked? Can you dump the body (or part of it) and the path, method, etc?

All of them seem legitimate… also my own requests, a very simple visit to the homepage, root domain… no paramters, nothing special… yet I’m been blocked from my own website over and over again… I’m getting the captch challenge, then a few hours later I see it again - which reminds me - I CHANGED THE “Challenge Passage” TO “1 YEAR”!!! yet I see it at least once a day… (same browser, same network, didn’t delete cookies or anything like that)

That’s odd; it could be due to poor coding practices :person_shrugging:. As I said earlier, we will keep going around in circles without concrete examples.

It’s not like I refuse to send an example… I don’t see my blocked requests on the events log.

How did you come to those conclusions if you don’t have logs? If what you are seeing are “random” 5s/captcha challenges on your site, you have the following options:

  1. Check your privacy settings. Are you spoofing browser information or have privacy focused extensions? Those could interfere with Cloudflare checks and make you seem like a bot.
  2. Is your network/device infected? Facing challenges that often isn’t normal.
  3. If those challenges are a significant issue for you, remove Cloudflare. Cloudflare can deliver those challenges to any visitor at any time. As far as I know, only the enterprise Package can disable the challenges fully (and even then, I’m not convinced that those will be gone for good). One of Cloudflares main benefits are those challenges so if you are annoyed by that, it might be better to simply skip using the service.

Who said I don’t have logs?
I had 62,670 log items when I wrote this, all of these blocked requests were marked as the “Managed rules (new)” service, but none of them was MY request (searched for it by my IP and/or my URL).

about your options:

  1. I don’t have such extensions, and anyway this also happens in Incognito (no extensions) as soon as I log in to my site (wordpress).
  2. no
  3. I might just do that, not because it annoys me, but because if it happens to me it might also be happening to my visitors - which is very very bad.