While security testing our application, we’ve temporarily added a bypass for WAF rules from select IP’s.
Most requests that were being blocked are now going through as we expected, but a few are still being rejected by the “Sanity Check Service”.
What is this Service?
It appears to at least partially protect against XSS, as we’ve seen 418’s with this error code returning from Cloudflare instead of 403’s.
Can it be Bypassed temporarily like the WAF can?