When trying to install composer packages from inside Github Codespaces, the request gets flagged by Bot Fight Mode. The same request when performed locally is successful.
Is there a rule we can define where requests to a specific resource(s) from *.github.dev are allowed?
Unfortunately Github doesn’t publish IP ranges for Codespaces, and apparently they could be any address Github has, rather than a fixed range, so you would have to allow a pretty big chunk of addresses that would probably be more than you want. For example, their list of IP ranges and uses doesn’t mention Codespaces at all.
I’m not even sure you can yet bypass Bot Fight Mode by IP anyway. It’s really not meant to be something you leave turned on all the time. So it may be necessary to disable it to do what you want.
I leave it enabled on client WordPress sites without issue. 
The published position in the Cloudflare Docs is:
If you find that Bot Fight Mode is causing problems with your application traffic, you may want to disable it.
Same, I think it’s better to leave it on, unless there’s some kind of a lighter weight method of at least stopping scripted requests.
Ideally we would have a configurable seecret request header key management, to bypass security layers. But perhaps it’s a processing speed concern at scale?
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.