How do I handle custom API requests?

Hi, I am new to cloudflare and trying to figure out if it is able to handle all of my needs before purchasing any packages.

I own a (relatively small) website, but besides the regular visitor traffic we also have interactions with paypal IPN and our own custom API (which our clients application actually uses, so this IP could in theory still be retraced by malicious users) that returns simple json messages.

How do I make sure API calls (fetching news feeds, version numbers, but also downloading certain files) actually get passed along properly?
Surely we could maybe apply some kind of filter to the CF firewall that either ignores the api subdomain or a certain user agent, but since the application is ran from the users system they could also figure out this information eventually which would still make these routes vulnerable to attacks?

I may be asking silly questions here, but I would just like to be sure theres a good way to handle this or would this require some kind of high priced plan?

What do you mean by this? I don’t think I understand what you’re concerned about.

When I visit a site that uses cloudflare, I typically get the cloudflare page first, which also (sometimes) contains a captcha.

How would I make sure that the program actually returns the api result in json and not the cloudflare page, or even worse gets stuck on the captcha?

You can customize under which circumstances challenges are issued:

What kind of challenge mode would actually suit my use case?

Because I am not able to allowlist IPs, since the API calls are coming from customer devices, the same thing goes for us User Agents, if a certain user agent (which I could specify in my code to use) gets white listed, what prevents a malicious user from intercepting this requests, checking the user agent and then performing attacks using that same user agent I white listed?

There is no “one size fits all” solution. It’s impossible to say what would be appropriate for your service without knowing any specifics.

You can go from no challenges at all to allowlisting individual clients by issuing client certificates, which you can then revoke in case of abuse.

You need to be aware that as long as you provide a publicly available service, a sufficiently dedicated attacker will always be able to start an attack on your site, to which you then need to react by refining your rules.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.