Context: Created a custom rate-limiting rule using CloudFlare’s Challenge page.
What I expected to happen: CloudFlare’s challenge page to display in the browser.
What actually happened: When I tested the rule I see the rate-limit trigger in the CloudFlare’s metrics and in the browser’s network tab I received a 429 status code with the Challenge page as a response. Are there additional steps that need to be taken to have the Challenge page display? I thought it is automatically served by Cloudflare.
Steps taken to fix it: Tried using Block instead of Challenge, spoke to support, and looked through documentation.
I’m unsure what the issue is? It was set to challenge and you said you got a 429 status code with the challenge page as a response.
Was this perhaps for an asset where a challenge response doesn’t make sense (e.g. a css or jpg file)?
Challenge works well for www.example.com/login not so well for assets where the browser can’t discern intent/would be unlikely to override the request in a way that could render meaningfully to an end user.
Oh…no… that’s not gonna work at all. A post request is an atomic action, the browser is neither looking for, nor willing to accept any nonsense.
In theory you could write a worker to temporarily write that post data somewhere… return a response and <something something> with the original data if they did < other something something>.
Typically posts is credential stuffing related I would suggest setting a low threshold for first penalty (block for a minute) and a higher penalty if they exceed next threshold in time period.
If it’s a mobile app and you have a plan supporting it, I’d send a json response so the app can set a timer to know how long it’s been locked out and not display a live ‘submit’ button again until they have cleared the penalty phase.