Under attack mode prevent api request

When I enable the Under attack mode, I found the frontend of our website is fine, which show the protect page before the real page. But all api requests are prevented which make our website is down in fact.

Any suggestions? How can I debug the API request under the attack mode without enable under attack mode?

Thanks very much.

Hey @dev99,
I’m trying to understand, what are you trying to succeed.
As the name suggests Under attack mode is an Advanced DDoS protection

Cloudflare Under Attack Mode performs additional security checks to help mitigate Layer 7 DDoS attacks.

That means all of your API requests will get prevented (by challenge or Captcha) as explained in the article .

Have a look in the Firewall rules


Hi @StefanoWP,

Thanks for your kindly reply. I also see the Security Level info in the firewall > settings > Security Level > help, which have a note tip.

Note: I’m Under Attack! may affect some actions on your domain. For example, it may block access to your API. You can set a custom security level for any part of your domain using Page Rules.

Just to make sure:

  • If our frontend and backend are separated with each hostname protected by Cloudflare proxy, once I enable I’m Under Attack mode, our backend must be blocked to access for there is no way to pass a challenge for backend.

  • If I want to make our separated backend can be accessed in I’m Under Attack mode, I need add relative page rule to implement it. (If this is right, I think it’s not recommend for protecting DDoS attack.)

Am I right?
Thank you very much.

Dear @dev99 ,
Cloudflare Under Attack Mode should be always disabled, and only enabled in case that you, or your System Administrator identify any abnormal activity in your server for example large packets.
In general, CloudFlare’s Firewall when Under Attack mode is enabled, is a sophisticated firewall that, will try to protect your site with any possible way. That means, to protect your API, will sacrifice some functionalities, so can provide you 100% DDoS mitigation, and that’s why IMHO, should be disabled.

Now, if you want to protect your API, which I believe most probably you mean your backend, then you can create some custom rules, as explained before.
You should analyze every request that your API - Backend do, and play with the rules.
Docs are here:

I want to add n important note here,
In case that Attack mode is ON, that doesn’t automatically mean that CloudFlare’s firewall will reject every request.
With more details, every request passing through the firewall more extensively and get checked, if it is a malicious redirect, FireWall can reject-mitigate, or will get :asked: to solve a challenge or CAPTCHA.
However, we have seen some times client’s browser or API’s can POST multiple and or “weird” requests, that the firewall, to prevent, will challenge them (because of the rules, OWASP and other custom rules).


Hi @StefanoWP,

Thanks so much for your detailed explanation and reference. I will read the docs more carefully.

Best wishes.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.