Handle WAF challenge response to AJAX request via client-side

Hello there,

I have an issue where I’m looking to protect my frontend API routes with a Managed Challenge response if a user surpasses a certain request/minute threshold. The goal would be if a user surpasses something like 1000 requests/minute, CF would respond with a challenge response to verify that the user isn’t a bot.

Based on the documentation for Managed Challenge https://developers.cloudflare.com/firewall/cf-firewall-rules/cloudflare-challenges/#detecting-a-challenge-page-response, it looks like the response type will always be text/html and the response will include a cf-mitigated: challenge header. That seems easy enough to detect, but I’m not sure how best to handle a challenge response on an AJAX call.

I’ve looked at Turnstile, but most of the frontend AJAX calls aren’t form elements and don’t have a well-defined place to show an interactive challenge.

Has anyone dealt with an issue like this?

Ideally we’re looking to

  • Let user’s use the frontend api up until they get challenged by Cloudflare
  • If they get a challenge response, we could show them a challenge in the client
  • If they solve that challenge, they can continue using the site without needing to reload their page

If that’s not possible, is it possible to

  • Let user’s use the frontend api up until they get challenged by Cloudflare
  • If they get a challenge response, ask the user to reload the page to handle the challenge
  • If they solve that challenge, they’re redirected back to the page they were on

Happy to elaborate, thanks for your help

3 Likes