Webcron.org being challenged

What is the name of the domain?

freakmusic.co.uk

What is the error message?

Just a moment…

What is the issue you’re encountering

We use webcron.org to call a script on our site at a certain time every day, however, we can see from the logs that Cloudflare has started challenging these calls and returning 403 error codes. This started when we attempted to create a custom rule to block some bad Ai bots. We have since turned this rule off, however, Cloudflare is still blocking those calls from webcron.org. We therefore added a custom rule to skip everything if the full URI matched the scripts being called but Cloudflare is still returning 403 and hitting webcron.org with a challenge. How can we allowlist these calls and allow them through?

What steps have you taken to resolve the issue?

We tried deactivating the WAF rules we added but Cloudflare is still challenging that traffic.

What are the steps to reproduce the issue?

Here is the truncated header in the log file from Webcron.org (they limit it to 255 characters)

[{"result":{"version":"HTTP/2","code":403,"reason":""},"date":"Fri, 23 May 2025 07:00:08 GMT","content-type":"text/html; charset=UTF-8","content-length":"7279","accept-ch":"Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA","cf-mitigated":"challenge","critical-ch":"Sec-CH-UA-Bitnes

Check your security event log for the reason that the request was challenged and then you can adjust rules as needed to allow it…
https://dash.cloudflare.com/?to=/:account/:zone/security/events

1 Like

Thanks for the advice. The rule description is showing as “manage definite bots” but I don’t see that anywhere in the settings and it’s certainly not a custom rule that I’ve added. Any idea where this rule is set? I tried adding a custom rule to skip all other rules for calls to the script in question. Cloudflare is making it look like this successfully allows the calls through but it’s still hitting them with the 403 challenge.

1 Like

Check under Super Bot Fight mode (I assume you are on a paid plan from the IP addresses), you can try skipping SBFM if that’s the trigger…

Thanks for the suggestion. Super Bot Fight Mode wasn’t enabled but when I clicked through to customise settings, “Javascript Detection” was enabled, which is where the “manage definite bots” rule was coming from. I was then able to add a new WAF custom rule to skip all Super Bot Fight Mode rules for traffic coming from webcron and that is now working.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.