Cannot bypass/skip security level

We have a service connecting to a webhook of ours and we’ve just noticed it is now blocking requests under the service ‘Security Level’. We have created a page rule for that endpoint to have no ‘essentially off’ for the security level and this doesn’t seem to work.
We have also tried creating a managed rule but this gets hit, skips but still get’s blocked by the Security Level. Nothing I have tried appears to have any effect on this. The strange thing is that a managed challenge makes no sense as it’s not a visit to the endpoint, it’s a post request.
Screenshot 2022-05-25 at 12.51.34

https://support.cloudflare.com/hc/en-us/articles/217074967-Configuring-IP-Access-Rules

Create an ip access rule to allow your webhook

1 Like

This won’t work as the service sending the request uses dynamic ip addresses. There’s no fixed ip

Also, why wouldn’t a page rule work here? It’s what it advises to use under the Security Level tools

Surely it has some sort of IP ranges you can allowlist, if not, then I’m afraid that you won’t be able to get it to work.
It’s unfortunate that neither the security level nor HTTP DDoS protection can be properly tweaked right now.

A managed challenge will deliver either a captcha or a js challenge, in your case you want to Allow the requests.

It will but if you are still triggering it after setting it to low, then you can only rely on IP access rules.

The service is hosted on heroku so I am asking the vendor if there’s a static ip address they can send us. I’ve used heroku before and their ip ranges are essentially the gamut of ip ranges of AWS which is not desirable to open up our app to all of those.

More info here https://help.heroku.com/JS13Y78I/i-need-to-add-heroku-dynos-to-our-allowlist-what-are-ip-address-ranges-in-use-at-heroku

Is there a particular reason that a page rule would not work? Is there a setting that I need to use.

Setting a page rule feels wrong as it’s not even a page but an api endpoint. Are there different settings for this?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.