Im total new to cloudflare, and i having trouble


#1

hi guys,

I had contacted the cloudflare support but taking a day to response, so i wanted to ask here, if anyone facing the same issue as me, im new to cloudflare service, i like their service, but somehow, dont know how, whenever i enable under attack mode, cloudflare wont allow my web application to perform HTTP POST request to my backend.

Any experienced user here please advise me how to configure it to allow my web app perform call

the http call is simple as

https://example.com -->


#2

Under Attack mode puts up a Javascript challenge. This will break automated connections that can’t process the Javascript challenge: “Note: Visitors to the site must have JavaScript and Cookies enabled to pass the interstitial page.”

The only way around this would be to whitelist your IP address, but if the web app is widely deployed, that’s not an option.

Why not lower the security threshold to “High”?


#3

because we are performing a testing, and must provide report to client that website is working fine when under attack, it might be slower but we need to prove still online.

as you mentioned, the javascript challenge, is it possible to setup in my web application to allow it pass the challenge, or anywhere to verify my web appllication itself?


#4

I can’t imagine there’s any safe way to do this. This would imply there’s a way for an external resource to trigger a security bypass.

There’s an outside chance you could set up a Worker to check for a secret access key to bypass the challenge, but I’m very new to Workers.


#5

You can enable/ disable i am under attack mode using page rules and not have it enabled for the path used for your app to post.


#6

@sdayman your suggestion are brilliant, but i never try this before, might take a look on that, for now i will adopt a simple and fast solution that @cscharff mentioned. Thanks for your advice :slight_smile:

@cscharff ok, i had set security level to “High” for certain API, it works, one thing i concern, will those APIs loss its proper DDoS security? im reading the description of “High” Security Level, im not sure the protection behavior


#7

Post requests don’t support being challenged in the way IAUM works, so the level of DDoS .protection is the best available for the method in use.


#8

I see, awesome services provided :smile: thanks for both of your helps, appreciated!


#9

This topic was automatically closed after 14 days. New replies are no longer allowed.