Dear @dev99 ,
Cloudflare Under Attack Mode should be always disabled, and only enabled in case that you, or your System Administrator identify any abnormal activity in your server for example large packets.
In general, CloudFlare’s Firewall when Under Attack mode is enabled, is a sophisticated firewall that, will try to protect your site with any possible way. That means, to protect your API, will sacrifice some functionalities, so can provide you 100% DDoS mitigation, and that’s why IMHO, should be disabled.
Now, if you want to protect your API, which I believe most probably you mean your backend, then you can create some custom rules, as explained before.
You should analyze every request that your API - Backend do, and play with the rules.
Docs are here:
I want to add n important note here,
In case that Attack mode is ON, that doesn’t automatically mean that CloudFlare’s firewall will reject every request.
With more details, every request passing through the firewall more extensively and get checked, if it is a malicious redirect, FireWall can reject-mitigate, or will get :asked: to solve a challenge or CAPTCHA.
However, we have seen some times client’s browser or API’s can POST multiple and or “weird” requests, that the firewall, to prevent, will challenge them (because of the rules, OWASP and other custom rules).