Can't submit an HTML form with a file upload, always get "verifying you are human"

I have an HTML form with a file upload. When I submit the form, I always get the “verifying you are human” screen, which passes automatically, and then the form never submits.

We have been using Cloudflare on this web-server/domain for many years without any issues and this just started out of the blue.

I already tried setting security level to “Essentially Off” and tried creating a WAF Rule that “skips” everything when I’m logged in from my IP address but neither are working. I’ve even “paused” Cloudflare on the site but it continues to happen.

What else would you suggest?

That is odd, if you’ve paused Cloudflare and the issue persists it indicates a problem with the origin server. Can you share the name of the site?

Thanks for the reply! On May 10, I ended up resetting the Cloudflare settings back to normal as the site went down for some reason. The site came back online shortly thereafter.

This morning, I just paused Cloudflare again, tried the file upload, and it did work as expected this time, no Cloudflare “verifying you are a human” screen. But I don’t want to keep Cloudflare paused.

Is there any specific setting in Cloudflare that will disable the “verifying you are a humane screen” based off of whatever settings Cloudflare allows (specific URLs, specific IP addresses, HTML forms, etc.)?

You can disable under attack mode if it’s active and set up an IP access rule so that certain IPs or locations are not blocked.

I appreciate the help! A couple of updates:

Turns out that pausing Cloudflare on this site actually brings the site down because of an SSL issue. I didn’t get a screenshot of the exact SSL error and I don’t want to bring the site back down again just to get the error message. If my memory is correct, the error was “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”.

To answer your suggestions:

  • “Under Attack Mode” is not active.

  • In “Security >> WAF >> IP Access Rules”, I do have a rule setup to “Allow” my IP address. That should always prevent a challenge, correct?

Is this “IP Access Rules” sufficient? Or do I need to add rules to any other areas as well to prevent the challenge?