Introduction
Single Page Applications (SPA) are web applications that load a single HTML page and dynamically update the page based on user interactions without reloading the entire page. SPA uses APIs to fetch and update data, making it vulnerable to rate limit breaches caused by malicious actors.
Problem Statement
The current lack of support for JavaScript challenges in Cloudflare WAF’s API calls makes it difficult to effectively block malicious actors without affecting legitimate users. When a rate limit is breached, the API call is returned with a status code indicating an error, but the front end does not support it and legitimate users are unable to bypass the block. Adding a JavaScript challenge to every request serves a poor user experience and does not solve the issue, as malicious actors attack the API directly and do not pass through the front end, and legitimate users do not want to be presented with a challenge unless a rate limit is reached on the API.
Current Limitations
API calls in Cloudflare WAF do not support JavaScript challenges. The lack of support for JavaScript challenges results in a poor user experience and does not effectively solve the issue. The current approach of blocking all API calls after a rate limit breach also affects legitimate users and serves a poor user experience.
Proposed Solution
We propose to add a new feature in Cloudflare WAF - Rate Limit Rules with Managed Challenges for Single Page Applications (SPA). The feature will enable SecOps Managers to set rate limit rules that trigger Managed Challenges for API calls that reach a rate limit threshold. The Managed Challenges will be presented in the Front End side of the SPA, allowing legitimate users to bypass the block by solving the JavaScript challenge. This approach offers a better solution compared to the current method of blocking all API calls, as it only blocks malicious actors and does not affect the user experience of legitimate users.
User Story
As a SecOps Manager, I want to set rate limit rules for API calls in my SPA that trigger Managed Challenges only when a rate limit threshold is reached. This way, I can block malicious actors while allowing legitimate users to continue to use my SPA without any hindrance.
As a Legitimate User, I do not want to be blocked by API call rate limit breaches. I want to be presented with a Managed Challenge only when a rate limit threshold is reached, so that I can solve the challenge and continue to use the SPA without any hindrance.
Conclusion
Rate Limit Rules with Managed Challenges for Single Page Applications (SPA) is a valuable addition to Cloudflare WAF. This feature will provide SecOps Managers with the ability to effectively block malicious actors while offering a better user experience for legitimate users.