Js challenge not working correctly when HTTP/2 is enabled

Hey guys,

For some reason when HTTP/2 is enabled via Cloudflare in the network settings whenever we enable attack mode / Js challenge if we try and load the site as a new user in an ingoegto window after the countdown has finished it will load the site but without CSS or JavaScript.

Looking into the browser console gives the following error for each CSS / JavaScript resource

Then under that the console will give net::ERR_ABORTED 503 for each of the same CSS and JavaScript resources. We did lots of tests with random users and they all get the same issue but oddly if the HTTP/2 setting is toggled off everything seems to work just fine.

With HTTP/2 enabled the site works and loads just but if we need to enable the attack mode it will create the problem described above if HTTP/2 is toggled on.

Any feedback would be helpful as we’re running out of ideas.

Hi Sandro,

I’m going to keep our domain off the forum since we’re under pretty large attacks at moment we did work out what the issue was over the past few hours so hopefully we can get some details.

It seems like there is some kind of hard limit we’re hitting with PUSH links when we removed a few of them pages work as expected after a Js challenge but if we add them back it will fail again.

When HTTP/2 is enabled via Cloudflare are you aware of any limits to how many PUSH links can be used or if Origin settings could have any effect in this regard?

I would also be really interested in the answer to this question.
As I dont know how exactly HTTP/2 Push with CloudFlare works, but there are 2 options:

  1. CloudFlare just requests the HTML and uses the already cached CSS (or JS or whatever) file to push it within the HTML request
  2. CloudFlare requests for the Push both from the origin, HTML and CSS and just forwards/pipes the push

I would prefer option 1 as it uses the already cached file from EdgeCache and therefor not put much load to the origin. @Sean could you please update this thread if there are any limitations and if you maybe know how exactly HTTP/2 Push at CloudFlare works?

Hey M4r1n,

Oh 100% I will return with details not just for me but for Google as there is only 1 other person out there who seems to be facing this issue on Stack overflow and he just gave up and switched off HTTP/2.

I’m going to reach out to Cloudflare shortly and I will reply with the details there is some kind of limit its just not documented.

Server Push is limited to 50 assets per page and 100 per connection.



This limit is indeed poorly documented, as there are several articles on HTTP/2 Push that don’t mention it. @cloonan

Also, even within that limit, I faced issues when using Push in iOS devices, with pages going blank when I preloaded several images, so make sure you test your pages with iPad/iPhone. That happened a long time ago when I first implemented Push in a WordPress website, and IIRC I told Cloudflare support about this. So perhaps this iPad issue has been solved, perhaps it wasn’t even Cloudflare related.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.