Hi,
I’m having an issue with OWASP firewall rules. I set Sensivity to High and some of requests are Challenged because of total score exceeded.
For normal requests (entering the site directly from browser, I guess) Sensivity level scores are more strict (lower score triggers action) than for Ajax requests. This is based on CF docs You can see here https://support.cloudflare.com/hc/en-us/articles/200172016 (search for “The sensitivity score required to trigger the WAF for a specific Sensitivity is as follows”)
I have the example request blocked with score 28 which should trigger OWASP WAF rule for normal requests, but not for Ajax one:
Just to clarify the situation request is send to our JSON-based REST API on different subdomain that website which uses this API: website - www.example.com, API - backend.example.com.
How Cloudflare differs Ajax from not-Ajax requests and what is the possible reason it doesn’t recognize ours as Ajax ones?