Hello there,
I have an issue where I’m looking to protect my frontend API routes with a Managed Challenge response if a user surpasses a certain request/minute threshold. The goal would be if a user surpasses something like 1000 requests/minute, CF would respond with a challenge response to verify that the user isn’t a bot.
Based on the documentation for Managed Challenge https://developers.cloudflare.com/firewall/cf-firewall-rules/cloudflare-challenges/#detecting-a-challenge-page-response, it looks like the response type will always be text/html and the response will include a cf-mitigated: challenge header. That seems easy enough to detect, but I’m not sure how best to handle a challenge response on an AJAX call.
I’ve looked at Turnstile, but most of the frontend AJAX calls aren’t form elements and don’t have a well-defined place to show an interactive challenge.
Has anyone dealt with an issue like this?
Ideally we’re looking to
- Let user’s use the frontend api up until they get challenged by Cloudflare
- If they get a challenge response, we could show them a challenge in the client
- If they solve that challenge, they can continue using the site without needing to reload their page
If that’s not possible, is it possible to
- Let user’s use the frontend api up until they get challenged by Cloudflare
- If they get a challenge response, ask the user to reload the page to handle the challenge
- If they solve that challenge, they’re redirected back to the page they were on
Happy to elaborate, thanks for your help