Strapi Webhook call being blocked by Bot Fight Mode

I am using Strapi (on Heroku) as a headless CMS. I am using Strapi’s webhooks feature to ping my website to clear it’s cache a get the updated data when changes are made. However this call from Heroku to my website goes through my Cloudflare proxied domain and Bot Fight Mode is blocking the request.

I tried adding a rule to WAF to skip all security stuff for requests that match but it does nothing. Bot Fight Mode also seems to say " Other security products cannot be used to skip Bot Fight Mode".

How can I allow my webhook request through Cloudflare Bot Fight Mode so my website can rebuild/clear cache and be updated with the content from Strapi CMS?

1 Like

Welcome to the Cloudflare Community!

You can’t skip Free Bot Fight Mode. Pro or above has Super Bot Fight Mode which you can skip in Custom Rules, but not free’s Bot Fight Mode. It is eventually planned to be able to skip the free version, as per the blog post: https://blog.cloudflare.com/configurable-super-bot-fight-mode/, but no ETA or more information yet.

Important considerations you need to be aware of before turning on BFM or SBFM

  • BFM and SBFM are high security features intended to quickly help customers under active attack stop as many bots as possible. Due to the high security threshold, false positives do sometimes happen.
  • BFM has limited control. You cannot bypass or skip BFM using the Skip action in WAF custom rules or using Page Rules. BFM will be disabled if there are any IP Access rules present. If you turned on BFM during an attack, and the attack has subsided, we recommend either disabling the feature using IP Access rules to bypass BFM, or looking at Bot Management for Enterprise, which gives you the ability to precisely customize your security threshold and create exception rules as needed.
    FAQ · Cloudflare bot solutions docs

You can disable it entirely, but nothing else. As per the article above, BFM is known to have false positives and more meant to be enabled when under attack and disabled otherwise.

Has anyone gotten Strapi working with Cloudflare Bot Fight on? Seems lame that the only solution is turning it off. Does Cloudflare just block all traffic from Heroku or is there some way for me to make my webook call better to avoid being flagged by Bot Fight Mode?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.