CD
Cloudflare Developers5mo ago
justjumper

Production Users Getting cf-mitigated header

Hi, some of our users are getting the cf-mitigated = "challenge" header. My understanding is that they must complete a challenge to get the cf_clearance and then they can proceed. The problem is, it doesn't seem like there is any documentation on how to actually do this. The official docs (shown in the screenshot) don't go into any details on how to actually "handle" the challenge on the client. https://developers.cloudflare.com/waf/reference/cloudflare-challenges/
Challenges · Cloudflare Web Application Firewall (WAF) docs
When a website is protected by Cloudflare, there are several occasions when it will challenge visitor traffic:
No description
3 Replies
Erisa
Erisa5mo ago
Theres one example of how to do that with Turnstile on here https://blog.cloudflare.com/integrating-turnstile-with-the-cloudflare-waf-to-challenge-fetch-requests
The Cloudflare Blog
Integrating Turnstile with the Cloudflare WAF to challenge fetch re...
By editing or creating a new Turnstile widget with “Pre-Clearance” enabled, Cloudflare customers can now use Turnstile to issue a challenge when a page’s HTML loads, and enforce that all valid responses have a valid Turnstile token. They can then write a Cloudflare WAF rule to challenge all requests to their API. The Cloudflare WAF will check fo...
justjumper
justjumper5mo ago
Ahh thanks! How does this work with a separate domain though? In our case, the site is www.<site>.com but the api is api.<site>.com So the OPTIONS request fails before it even has the chance to send the cf_clearance cookie. This issue is noted here: https://developers.cloudflare.com/waf/reference/cloudflare-challenges/#cross-origin-resource-sharing-cors-preflight-requests, though there is no solution provided.
Challenges · Cloudflare Web Application Firewall (WAF) docs
When a website is protected by Cloudflare, there are several occasions when it will challenge visitor traffic:
Metriusz
Metriusz5mo ago
For the CORS headers, you can set up a transform rule to modify those in the response
Want results from more Discord servers?
Add your server
More Posts
Connecting GCP and AzureOur company is planning on deploying managed GKE Kubernetes in GCP and a few managed databases (SQL Xbox Live not connecting to parties when on warpHello this is a new very frustrating issue idk what changed at cloudflare but all of a sudden cant cNeed help with cloudflare account!My account was banned last year for some reason.I didn't know at that time that I could appeal via ev2 engine build dependency errorsBuilds with zero errors in v1. Builds with zero errors locally using the same npm and node versions Download deploymentsCan you Download deployments from Cloudflare Pages?Can we have different Preview ENV Variables, for different branches?We have several different staging/test environments we use to test various work across teams. With VIs there a way to report a DDOS to Cloudflare that wasn't blocked?I have the nginx logs for it. If there's not a way to do this that's fine, but I'm hoping it's possiHey guys, new to Zaraz (but notHey guys, new to Zaraz (but not Cloudflare). Can anyone help telling me how or where I would tell Za