We’re using the Salesforce Service Cloud for our company’s help center and some of its internal requests are blocked. I can’t expose the actual domain, so I’ll substitute it with example.com. An example request looks like this:
https://example.com/l/%7B%22mode%22%3A%22PROD%22%2C%22app%22%3A%22c%3ASurveyAuraHandler%22%2C%22fwuid%22%3A%22QPQi8lbYE8YujG6og6Dqgw%22%2C%22loaded%22%3A%7B%22APPLICATION%40markup%3A%2F%2Fc%3ASurveyAuraHandler%22%3A%22WtLTMPrWrsQ-v-iD3BMArA%22%7D%2C%22apce%22%3A1%2C%22apck%22%3A%22IWwO2xsruDz6PdeL9BJ0YA%22%2C%22mlr%22%3A1%2C%22pathPrefix%22%3A%22%22%2C%22dns%22%3A%22c%22%2C%22ls%22%3A1%2C%22lrmc%22%3A%22533941497%22%7D/bootstrap.js?ltngOut=true
When the URL is decoded, it becomes obvious that there’s JSON in it:
https://example.com/l/{"mode"%3A"PROD"%2C"app"%3A"c%3ASurveyAuraHandler"%2C"fwuid"%3A"QPQi8lbYE8YujG6og6Dqgw"%2C"loaded"%3A{"APPLICATION%40markup%3A%2F%2Fc%3ASurveyAuraHandler"%3A"WtLTMPrWrsQ-v-iD3BMArA"}%2C"apce"%3A1%2C"apck"%3A"IWwO2xsruDz6PdeL9BJ0YA"%2C"mlr"%3A1%2C"pathPrefix"%3A""%2C"dns"%3A"c"%2C"ls"%3A1%2C"lrmc"%3A"533941497"}/bootstrap.js?ltngOut=true
Cloudflare blocks those requests, which results in HTTP 403 response codes and the Salesforce app breaks. My guess is that Cloudflare flags the URL, since having JSON in it is indeed shady.
I’ve added a “Disable Security” page rule for path example.com/l/* and the URLs are no longer flagged, but completely disabling the security features by Cloudflare sounds like a bad idea. Are there other solutions? What would be the best thing to do here?