Under Attack Mode strips CORS headers

It looks like when I’m in “under attack mode”, Cloudflare is scrubbing the CORS headers. Is there a way to this particular aspect of Under Attack Mode off? My react app needs CORS to function, but we are getting DDoSed so a more robust solution that involves CORS and Cloudflare is in order. Any suggestions? I’m a bit new to security administration, so commentary is welcomed!

For a fresh under attack page, CORS wouldn’t matter since the XHR/fetch the browser does wouldn’t be able to solve the browser challenge anyways.

In terms of “load domain example.com -> XHR/fetch to example.com/api”, the under attack challenge should already be solved, and so the request shouldn’t be blocked (assuming cookies aren’t being meddled with).

If you want to disable it for a certain page/route/subdirectory, you can create a page rule that sets the security level to high and UAM won’t trigger.