Turn off "Browser integrity check" for load testing

We’re using Azure DevOps to load test a new part of our site. Unfortunately, we were seeing Cloudflare block the requests due to “Browser integrity check”. We therefore added a Firewall rule to allow requests if “AS Number” is “8075”. This appeared to work for images, but most of the HTML files still fail the Browser integrity check. Why?!

In the activity log, under “Additional matches”, I see the Allow rule which I created. It seems like it’s matching the rule, but is being overridden? Help!

Here is my comparison between a request which succeeds and which fails:

Hi @dbates,

You can turn off browser integrity check with a page rule for the part of the domain you are testing:

URL example.com/test/*
or
URL test.example.com/*

Setting: Browser Integrity Check OFF

Why isn’t the Firewall rule enough?

I tried adding an additional Firerule rule which didn’t work:

I also tried adding a Page Rule and the same thing happened:

I ran another test. The only difference I can see from Cloudflare’s JSON summary is that Azure used a different User Agent. Why would that trump our Firewall rule?

I don’t know. The order in which multiple CF protections are run is not very clear to me. My guess is that, being a zone-wide setting, BIC would take precedence and be applied before individual rules.

As for your page rule, the Browser Integrity Check must be switched to OFF (I’d assume you did it, just mentioning because your screen shot shows otherwise)

And of course you can always turn BIC off altogether (for the duration of your test) on the Firewall > Settings tab.

Yeah, I did fix the On/Off switch on the page rule.

I’d rather not have to turn off BIC altogether during testing, although I have confirmed that when I do that, I don’t get any failures in my load test.

Apparently, these firewall rules allow for whitelisting of requests through other created firewall rules and not any of the managed rulesets, the BIC or Rate Limiting.

Therefore, in order to get this to work, you have to go to “Firewall” -> “Tools” and whitelist the ASN.

2 Likes

Thanks for helping

This topic was automatically closed after 30 days. New replies are no longer allowed.