Cf-cache-status: BYPASS prevention in APO

I’m using APO with official WordPress plugin. The problem is when the browser sends header:
cache-control: no-cache
Cloudflare is bypassing edge and send response:
cf-apo-via: origin,no-cache cf-cache-status: BYPASS
I want to disable this behaviour and maybe change state of such requests to DYNAMIC. Is there any way to do this?

The browser doesn’t send that header, it is a header generated by an origin server.

As opposed to BYPASS? To what end?

1 Like

Disable cache enabled (browser sends cache-control: no-cache):

And in normal circumstances without this header, everything is OK:

BYPASS for me is security breach :roll_eyes: so I need to find a way to prevent this.

Well it’s not on Cloudflare. Also it depends what you bypass. If you bypass securitysystems then it’s a securityissue. If you bypass cache, then it’s a performance breach :wink:

Your own definition tbh, does not matter to much on a clearly defined and standardised term. The term and the list with other possible cf-cache-status header values can be read here:

Value Description
BYPASS The origin server instructed Cloudflare to bypass cache via a Cache-Control header set to no-cache,private, or max-age=0 even though Cloudflare originally preferred to cache the asset. BYPASS is returned when enabling Origin Cache-Control. Cloudflare also sets BYPASS when your origin web server sends cookies in the response header.
DYNAMIC Cloudflare does not consider the asset eligible to cache and your Cloudflare settings do not explicitly instruct Cloudflare to cache the asset. Instead, the asset was requested from the origin web server. Use Page Rules to implement custom caching options.

I know this. But in my case such performance breach is a very easy DOS for an attacker (happened last night) :frowning: I will use cache everything rule if there’s no other way to prevent this. Thanks!

Yes, I know that. That’s how APO works. There are multiple reasons for this, but none of which I like. For DDoS attacks, feel free to adjust your Firewall at Cloudflare a little to make it catch them. But other than that, yes power with APO is given to the visitor to bypass cache which is dangerous.

I first misunderstood you and thought that you want to rename BYPASS to DYNAMIC. As both would have the same effect (origin serves) that would not make a difference.

As of the Cache everything rule:
if your pages have URLs with trailing slashes its easy to match them all with something like this “domain.tld/*/” and turn on cache everything, but it might does not update as flawless as APO without it.

Frankly speaking if they really want to DDoS your site, they can simply find a URL which is known as non-cachable e.g. /wp-admin as the request will always hit your server, they don’t have to add a cache-control: no-cache request header just to bypass that cache. This is just one example, attackers might find various ways just to take down your site.


I’m using workers to protect critical URL’s. I’ve also added under attack level to some other ends.

Now that I know it’s an APO default behaviour, I’ll try to mitigate that by clever rules & origin-side tweaking.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.