CF cached the wrong page

I’ve setup a cache rule for my homepage, and this morning out of the sudden, the homepage was showing a private page that should only be shown to logged in users, that page was the dialog requiring the user to enter their 2FA code, this was showing even BEFORE any login! I was very surprised that this has happened, I always assumed, CF makes a request to that page, and caches it, apparently, it’s caching it based on a visit of one of the visitors, or something like that. That is a huge risk! The page could have been his customized homepage!

And this has triggered a chain of issues, users who were shown this page started rapidly refreshing as users just do! And many of them ended up blocked by the rate limiting rules, I’ve been having heavy attacks on my site (500 million requests within 30 minutes), so I had to put some strict rate limiting rules.

So my question is two parts:

  • How do I prevent CF from caching the 2FA page?
    Will adding headers like this to the 2FA page work?
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
  • How do I flush all blocks? I can purge the cache, but I searched everywhere and I can’t see an option to purge all blocks, which would have been tremendously helpful to me this morning after I purged the cache, a lot of people were blocked already.

Thank you

Cloudflare cached exactly what you asked it to cache: your homepage URL. And that is why Cloudflare doesn’t cache HTML by default.

First, turn that rule off. Then Purge Everything.

Most likely, your site sets a cookie for logged in users. Your Cache Rule can have a “Cookie DOES NOT CONTAIN” setting, so it won’t cache if that login cookie exists:

1 Like

I did purge everything , and did disable the rule the users that were blocked, remained blocked. Is this supposed to lift the ban from the users that received it? I’m not talking about future events, but about those who were already blocked before I disabled the rule and purged everything.

And as for what CF, if Google say cached a result on your site, it will not use a user’s experience on Chrome for instance, to save a copy of the HTML generated for that specific user, it will save the output its bot has received from that page, I know they’re different things, but this is what I assumed.

Not to mention that it was not even the same URL, the cache rule specified /front/home, and the 2FA page shows for /front/ I have no idea how that form ended up on the /front/home!

Thanks for your help.