If a request triggers a Security Level page rule, what does the response look like?

I’m looking to enable basic DDoS protection for a backend service (used by a web application and a mobile app). If I use a Page Rule to set the Security Level for a request that matches a certain pattern, and the Page Rule is triggered, what will the response look like?

I’m confused because I’ve read in several places that the response will be an interstitial webpage that the browser is meant to handle, but in my case the request is being made by an application that isn’t the browser. I just need to know what the response looks like (its shape, etc) so I can handle it appropriately; is there a certain error code for example that would be returned? Thanks!

If it’s not ‘im under attack’, the response is a browser-render-able HTML page with a hcaptcha the user can fill out. The status code is 200, this is what it looks like:

if it’s i’m under attack, you get the i’m under attack page which is different.

Ah, I see. Is that still the case if the request specifies Content-Type: application/json?

The request header you’re thinking of is Accept: application/json but yes, CF doesn’t return a different json-compatible page.

This topic was automatically closed after 14 days. New replies are no longer allowed.