WAF managed rules asking for captcha instead of completely blocking API requests

I have enabled OWASP rules on my website and set the action to “Block”.

In an attempt to test the XSS rule - I sent a POST to the API with javascript in the form. Instead of blocking the request completely - Cloudflare presents a reCAPTCHA as a response to the API call.

In order to isolate the issue to Cloudflare WAF i disabled the WAF and resent the payload and this time backend actually accepted that request. Is there anything I can do to completely block requests when a rule gets triggered?


This topic was automatically closed after 30 days. New replies are no longer allowed.