Disable challange for part of site

Hi!

Trying to disable the catcha challenge for the admin part of a site.

I’ve tried to add a firewall rule to allow traffic to the url. - didn’t work.
Also tried to add a page rule to disable waf - didn’t work either.

It does work if i whitelist my ip-adress under firewall > tools.
But it’s not just me using the admin panel, and i can’t ask people to log in to cloudflare and whitelist their ip every time they work from someplace new.

It’s the xss protection that fires, when i’m trying to post tags.

The challenge is a dealbreaker cause i’m posting the form with ajax.

Can i disable the challenge any other way?

Captcha or JavaScript challenge?

How did you configure the challenge in the first place? What is your security level?

Any challenge really, but i’m getting the captcha challenge.

I’ve set the security level to normal by default, but I have tried to set the security level to essensially off, but it still gets challenged.

Can you post screenshots of your firewall and IP access rules? A captcha challenge should only originate from such a rule, respectively if the IP address is flagged. In the latter case you cant do much, except for whitelist that address.

Here’s the firewall rule

The ip access rules are just allowing stuff, not blocking, so i don’t think they are causing the trouble. And if I whitelist my ip, it does work…

Is that the only firewall rule? Also, what hostname is that? Is that part of your URL?

This is the log entry from the block. removed some entries about ip and stuff.

“action”: “challenge”,
“rayName”: “51798c826b9597ea”,
“ruleId”: “100030ARGS_STRICT”,
“source”: “waf”,
“userAgent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”,
“metadata”: [
{
“key”: “filter”,
“ruleId”: “16b79356641e40edb49e782774ea921f”,
“value”: “74dccfeba69843fe9d0d5b76ad437fdf”
},
{
“key”: “group”,
“ruleId”: “100096BBASE”,
“value”: “cloudflare_specials”
},
{
“key”: “group”,
“ruleId”: “100030ARGS_STRICT”,
“value”: “cloudflare_specials”
},
{
“key”: “matched_var”,
“ruleId”: “100030ARGS_STRICT”,
“value”: “ARGS:BLADE”
},
{
“key”: “rule_message”,
“ruleId”: “100030ARGS_STRICT”,
“value”: “XSS - HTML Script Tag - Body”
},
{
“key”: “anomaly_score”,
“ruleId”: “100030ARGS_STRICT”,
“value”: “0”
},
{
“key”: “sqli_score”,
“ruleId”: “100030ARGS_STRICT”,
“value”: “0”
},
{
“key”: “xss_score”,
“ruleId”: “100030ARGS_STRICT”,
“value”: “0”
}
],
“matches”: [
{
“action”: “allow”,
“ruleId”: “16b79356641e40edb49e782774ea921f”,
“source”: “firewallRules”
},
{
“action”: “log”,
“ruleId”: “100096BBASE”,
“source”: “waf”
},
{
“action”: “challenge”,
“ruleId”: “100030ARGS_STRICT”,
“source”: “waf”
}
]

You seem to have fired WAF rule 100030. Are you on a paid plan?

Yeah, seems like that’s the one giving trouble.

Yes, on a pro plan

You could disable

under “Cloudflare Specials” in WAF.

Better yet though, try to fix your code so it doesnt fire.

Awesome, that did the trick!

Thanks alot :slight_smile:

Fix my code - you mean don’t post script tags?

Possibly, that depends on what exactly you are doing. Either keep it disabled or make whatever changes are required not to fire it.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.