Handle challenge for API request


we have a SPA setup, app.example.com and api.example.com are behind cloudflare. Sometimes we receive a massive amount of requests to our API login endpoint, which is used by our SPA. I tried to enable multiple times the “I’m under attack mode” , which worked on the frontend, the challenge was presented, but then the request to our API didn’t go through as the solved challenge was not enough for the api.example.com, which required another challenge.

I’ve read a similar issue here - cf community link - and tried to utilize the help from here.
I’ve created a special URL on our api, api.example.com/challange, which always presents a challenge with WAF rules, then I’ve set up a rule to test it, by requiring a challenge for a given country. I’ve joined the country with a VPN. In the frontend, I’ve seen that the API response is 403 and that I have to solve a challenge for the API request, I’ve proceeded to the api.example.com/challenge, it was ok, but the AJAX requests were still failing.

I’m googling this for a longer time now, but I’ve found no real solution for this. The best would be to have the challenge be valid for every subdomain under example.com

Any idea what am I doing wrong or how should I change the flow?



This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.