Trying to disable security for certain API calls

Hey guys!

I want to disable security for certain API calls.

So through a page rule as below, I have disabled security for the URL.*


Note, this is the only one-page rule I have. There are no other page rules at all.

However, in the firewall events, I still see challenge was invoked security level, which I have already set as low.


Is there a way I can completely disable security for certain URLs? I think this is what Page Rules is for.

Am I missing something?

You may need to read

Yes, I have read this multiple times. But still not sure what I’m doing wrong.

  • I simply want to disable security for an API call, which I have set in the Page Rule.
  • I have made sure the URL is correct and there are no typos.
  • I have made sure I just have one Page Rule, so it does not conflict with any other.

But I still see some events where the challenge was invoked by security, even though I have completely disabled it through Page Rule.

You may need to also use the threat score there. Did you do that?

Yes, I have set it to Essentially off. But for certain API requests, I want to turn it off completely.

Isn’t this possible through Page Rules?

That would require Enterprise plan. Why not make the apis on a subdomain and make the record DNS only :grey:

Yes, we’m on a subdomain for the APIs endpoints. However, we still need to block some requests through CloudFlare Firewall Rules.

So through Page Rules as well, without being on Enterprise Plan, it is not possible to disable security completely for certain URLs?

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.