How allow traffic come from specific IOS app

I have IOS app developed with web-view pages for website on Cloudflare ;
and each time when we using this ios app it’s give us challenge page.

How I allow traffic come from this app as a whitelist ?

If the app uses a particular cookie / user agent / set of IP addresses (or ASN) I would do this with a firewall rule. Just set the action to allow. See here how to create one:

in rules action there No specific Fields for IOS referer

I should mention that what I said earlier will “fix” your problem but having Cloudflare challenge your iOS app users could be hinting at other issues. Do users with the same IP receive captcha challenges of other Cloudflare protected sites? If not that you might want to check that “Under Attack Mode” is turned off and the “Security Level” is set to medium. Also check for any page rules or firewall rules that may have been set up.

Well a referer is the HTTP header from which the request originated from.

I think you mean user-agent, please note user agents can be changed (by attackers for instance) it might be best to create a unique one within the iOS app rather than the generic one from apple. Here is an example user-agent from apple safari: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A356 Safari/604.1

Example firewall rule:
allow (http.user_agent contains "AppleWebKit")

regarding your mention; what the user agent for IOS app ?

because we can’t use WAF filter by IP, or country because it’s public ios app for public users. and “Security Level” it’s: medium

regarding your mention; what the user agent for IOS app ?

I would use (http.user_agent contains "AppleWebKit") for the WAF

Hm these challenges are usually triggered on malicious behaviour or bad IPs

relevant links:

@mishalnet How many requests does the iOS app generate ?

Asking @cloonan if he has any feedback

with each click inside ios app it’s show challenge page


I tried using : http.user_agent contains “AppleWebKit” as new Firewall rule (Operator : equal or content)

and still gives challenge page

Ah this is my fault It’s just AppleWebKit for the User Agent. The full firewall expression is (http.user_agent contains "AppleWebKit")

Do you see the Expression Preview? You can use the GUI or edit the text directly by using the Edit expression link

That is usually the cause, will look behind the scene to see what I find…

1 Like

Hi @mishalnet, I’m not seeing anything specific to your app/ios that should cause this error but will keep digging.

1 Like

I suggest you follow these steps on your iOS device to debug why captcha is popping up.

  1. Check if your IP address in
  2. Test if other Cloudflare protected sites give you captchas, , ,

Possible solutions if it’s not a Cloudflare configuration issue (your IP is in projecthoneypot or you get captchas on other Cloudflare sites as well):

  1. Make sure that your app is not clearing cookies like the Cloudflare cookie __cfduid
  2. Make sure that all devices in your network are not infected with malware or are part of a botnet.
  3. Try to get a new IP address from your ISP. Sometimes it is enough to power-cycle your router.

If you don’t get captchas on other sites and the IP is not in projecthoneypot than this is likely a configuration issue on your site. See my comment from earlier

Sourced from other forum topics, Thanks @Judge!


i added above code as new waf,
It’s Working Now without challenge page

Thank you alot


This topic was automatically closed after 31 days. New replies are no longer allowed.