I ran into a problem related to authorization via Telegram on my site, which is protected by Cloudflare. When protection is enabled (in “Flexible” or “Full” modes), authorization via Telegram does not work. However, if I disable protection, authorization is successful, but the site becomes unsafe. I use Django on the server side and JavaScript on the client side. I configured SECURE_PROXY_SSL_HEADER in Django to handle X-Forwarded-Proto headers correctly, and made sure that all API requests are made over HTTPS. Can you help me figure out why Telegram authorization doesn’t work when Cloudflare protection is enabled? Are there any additional settings that I need to take into account to ensure that authorization works correctly while maintaining protection?
What steps have you taken to resolve the issue?
I made sure that the problem is with Cloudflare, since authorization works properly with protection turned off.
When I was testing some things out, even with Telegram bot for checking the URL link preview before sharing, I’ve looked into the Security → Events at Cloudflare dashboard.
Could be you’d have to allowlist the IP or something.
You should be able to see the challenged or blocked event under the Security tab → Events at Cloudflare dashboard for your zone and know exactly which security option was triggered. Could be Managed Rules my best guess, otherwise Bot Fight Mode or Browser Integrity Check.
Once you find them, click on a particular one to find more details about it (user-agent, IP, HTTP version …). If yes, could you share some details which service was triggered that blocked you?