Cloudflare blocking requests involving percent sign (%)?

I’m trying to figure out why a cloudflare 400 error is produced involving any URLs with a percent sign in them. Where can I look? I don’t see any WAF rules strictly involving a % that might be the cause. If I temporarily disable caching, is that enough to also bypass any such rule?

Here’s a random example. Add a percent sign anywhere in the URL.

I’m thinking it’s something bot related or general security related that does not involve an explicit % but that it’s just perceived as a threat so it’s blocked.

The problem is that 1) it produces a very basic error page instead of just redirecting to somewhere else; and 2) if google indexes one such page, it will impact its ability to continue scanning our site for 404s, as we’ve learned GSC just gives up if it can’t validate a particular URL.

1 Like

Hi there!

400 error (Bad Request) means that the client did not send a correct request to the server.

This is a client error: malformed request syntax, invalid request, message framing, or deceptive request routing. For example, if the request contains a special character that is not correctly URL Encoded (or percent-encoded)Open external link, this HTTP Error 400 will be returned.

If you want to check 400 errors details from your dashboard, you should be able to check from your traffic analytics if you have pro plan above.
You can use Filter to find status code 400 for your traffics.
Please check: Filters · Cloudflare Analytics docs

Thanks so much for your help. I have used the filter to identify the status code and have found just one entry.

Is there a way to allow cloudflare to just let these 400 errors through to the web server? Is this a filter that can be disabled?

@dwreski, you are perfectly right, the Cloudflare 400 error message on URL involving a % symbol is bad.

Most of programmers know what @yuri1 is mentioning about malformed request syntax, however, Cloudflare should allow to customize the response.

For instance on my case, i have example URL:

The wrong code is also showing in Google Console (similar report Urls with double % symbol give Cloudflare 400 error )

Of course such URL can be generated by bad programming back end (although in my case was correctly encoded originally) or simple linked on other websites which wrongly threat the URL and creates the BAD version.

Now, on my end, using an Apache directive ( AllowEncodedSlashes NoDecode ), i can allow such request and create custom error pages.
In Apache config (not .htaccess) is needed “ErrorDocument 400 /message.err400” (in my case “message.err400” is part of URL/“message.err400” )

Using nginx (maybe part of Plesk) such setting are needed: " error_page 400 =301 $scheme://$host/message.err400; " in Additional nginx directives.

You can test DIRECTLY to the server such request: (however, this subdomain is NOT part of clouflare proxy and is only for logged in users and only redirects to a customized 404) … but otherwise is normally redirecting to (removing % from URL)

In most cases, i can even reconstruct such bad URL and REDIRECT to correct one, but i need to get the request on the server level and not blocked by Cloudflare.

The question remain, how can i bypass default Cloudflare 400 error page and let the request goes to the original server.

Thank you!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.