Since I added Cloudflare with the security level set to Medium, it started showing a JavaScript challenge page every time a visitor accesses the page, which is normal. However, on the Match page of my website, there’s a request system that happens every 3 seconds, asking if it has found an opponent in the queue. And once the match is in progress, there’s another request system that happens every 10 seconds, asking if the opponent has taken their turn.
Apparently, Cloudflare blocks these requests if a person, for example, leaves the page and comes back. This issue was reported by a friend of mine who used the site while working. Whenever he took his turn, he would do something else and come back when it was his turn again, but sometimes it would never return, and in the console, it showed a 403 error, forcing him to refresh the page and go through the JavaScript challenge page again to receive a new token.
Another report was from another colleague who was playing on his iPhone. He said he couldn’t find a match in the queue (in the 3-second request system) and was also blocked by Cloudflare. He also had to refresh the page and go through the JavaScript challenge system.
I thought about trying to disable the security level for the endpoint responsible for both the queue system (3 seconds) and the system to check if the opponent’s turn has ended (10 seconds), but this would make these endpoints vulnerable, and I find it difficult to reproduce these bugs since I don’t know exactly what exact conditions trigger these bugs. So, I wanted to ask here for a solution to this.