Cloudflare blocks REST API requests (wordpress rest api expired nonce from cache results in 403 forbidden), result: I cannot save draft post

Hey there. So I’ve already reviewed the Github issue [here ], which has been closed2 years ago since Cloudflare apparently made updates at that time, but I’m still unable to publish through Gutenberg (integrated within wordpress latest version) and I’m getting the error that Cloudflare is blocking Rest API apparently.

From the developper console I get this:

  1. {code: “rest_cookie_invalid_nonce”, message: “Le nonce du cookie n’est pas valide”,…}
  2. code: “rest_cookie_invalid_nonce”
  3. data: {status: 403}
  4. message: “Le nonce du cookie n’est pas valide”

Apparently the nonce key is being cached on the frontend beyond its lifespan, I need to hook into the API request before the authentication step and replace the cached nonce key with a valid one, but how do I do this? I am not skilled in that matter.

I also disabled the two rules: WP0025a and WP0025B. I’ve already disabled them prior, but I still can’t save a draft or whatever through Wordpress. I have purged all everything after each change at WAF or firewall rule level.

I have read also different tickets here, as well related to gutenberg (github) or stackoverflow. I tested many different tips but none worked.

I also added WP_DEBUG and display but no log file from the infinite loop to save the draft.

The root cause starts from this script (throught developper panel):
api-fetch.min.js within wp-includes/js/dist

wordpress 5.4.1
No cache plugin
No protection plugin

I have these bypass rules on:
WP0003 Wordpress - Bypass WAF for /wp-admin Cloudflare WordPress On
WP0004 Wordpress - Bypass WAF for /wp-admin/post.php Cloudflare WordPress On

Same problem on chrome or mozilla firefox.

If you need additional information, let me know.
Help welcome. I am stuck past 30 hours on this issue.

One last attempt is: using the plugin disable Gutenberg. And returning to old editing page.
It works back to normal. However I fear any similar conflict in the future.
Apparently there is a REST API cloudflare url. Maybe that would help me to provide me some guidance. I would like to test with Gutenberg on.

Like on this article, I can’t whitelabel my IP as it changes very often, and I use Cloudflare pro plan.

Hi kn82000

What domain were you having this problem on?
My suspicion is that this issue was not related to the WAF because this message:
{code: “rest_cookie_invalid_nonce”, message: “Le nonce du cookie n’est pas valide”,…}
Looks like it comes from Wordpress - implying that the request made it past the waf to the cache and/or origin.

Hi rsommerville,

My domain is the only one attached to cloudflare.
It comes from the gutenberg plugin doing rest api requests. When disabling it, all works fine but then it seems that Cloudflare interacts somehow. If I use it on another domain without cloudflare, all works fine.
I have a long setup in firewalls and WAF so probably by being extra vigilent I disable any plugin able to do PUT or POST requests? Does it sound possible?

I’ve found this page which discusses an issue similar to yours.

In their case the problem was Cloudflare caching /wp-json/.

I’d suggest seeing if the gutenberg plugin works with ‘development mode’:

If it does work then the issue is most likely caching and you should disable Cloudflare’s caching on Wordpress API endpoints used by gutenberg.

Separately you can confirm whether Cloudflare’s WAF/firewall is the problem by checking if any firewall events are generated from you IP address when trying to use the gutenberg plugin:

Dear rsommerville,

Thank you for your time. I know the first article (this is my reference article in fact) and I tried the development mode without noting any change.
I will investigate your third point with the firewall analytics.
But from my previous investigation, I had seen nothing from the logs but still pages were not able to upload.
I will make some tests with gutenberg on a bit later this week as I want to progress on the website content while it is working now. If I find the exact root cause of the issue, I will post here again.

You can setup a wordpress-specific WAF to avoid false positives.

Hi in11,
How do I do this “wordpress-specific WAF”? I used all waf parameters linked to wordpress, also enabling, disabling all, purging all, waiting, but still no draft geting updated.
Maybe you have a better setup. Let me know.
P.S. I still have to try the firewall analytics that rsommerville suggested.

This topic was automatically closed after 14 days. New replies are no longer allowed.