Putting API behind under attack mode makes it unusable from the frontend as CF blocks requests

I put my frontend and api on under attack when i was being ddos and, but when fetching my api from the frontend my requests get blocked. Can i do something like relative clearance? For example, if my the user has already verified on the frontend can I let them use the api

zinc•5/27/24, 10:21 PM

@Paradox_77 host the api under same domain. like instead of api.xnxx.comapi.xnxx.com use xnxx.com/api/xnxx.com/api/ so cookie persists otherwise it won't since they are two different names

Zzinc @Paradox_77 host the api under same domain. like instead of `api.xnxx.com` use `...

Paradox_77OP•5/28/24, 2:18 AM

Ah alright, that's a great idea thanks

Zzinc @Paradox_77 host the api under same domain. like instead of `api.xnxx.com` use `...

Paradox_77OP•5/29/24, 7:14 AM

I did this but my web app can cache itself for a long time

Paradox_77OP•5/29/24, 7:14 AM

so how long does the cf clearance live for?

PParadox_77 so how long does the cf clearance live for?

Rowin•5/29/24, 7:15 AM

Configurable, 30 minutes by default

RRowin Configurable, 30 minutes by default

Paradox_77OP•5/29/24, 7:16 AM

Where can i configure that

Rowin•5/29/24, 7:17 AM

Under security -> settings

Rowin•5/29/24, 7:17 AM

Challenge Passage

RRowin Challenge Passage

Paradox_77OP•5/29/24, 7:19 AM

okay

, but the cookie sets for 1 year?

Paradox_77OP•5/29/24, 7:20 AM

Rowin•5/29/24, 7:39 AM

Yeah that's normal, but it's only valid for the time you configured

RRowin Yeah that's normal, but it's only valid for the time you configured

Paradox_77OP•5/29/24, 7:39 AM

ah i see

Paradox_77OP•5/29/24, 7:39 AM

so i'd have to set my web app to only cache for 30 mins cuz then the browser would serve cached data but the token would be invalid

Rowin•5/29/24, 7:48 AM

Is it a SPA?

RRowin Is it a SPA?

Paradox_77OP•5/29/24, 7:49 AM

yes

Rowin•5/29/24, 7:55 AM

It's probably a good idea to browser cache for no longer than the passage time then yeah

Rowin•5/29/24, 7:56 AM

UAM runs before Cloudflare's cache though, so you can cache on Cloudflare for longer

RRowin UAM runs before Cloudflare's cache though, so you can cache on Cloudflare for lo...

Paradox_77OP•5/29/24, 7:57 AM

ah perfect, ill cache for 15 minutes on the client and cache it on cloudflare edge cache

Paradox_77OP•5/29/24, 7:57 AM

thank you so much for helping me with this

Rowin•5/29/24, 8:01 AM

And I'd set the passage time to 8 hours maybe

Rowin•5/29/24, 8:01 AM

Since SPAs use client side navigation

RRowin And I'd set the passage time to 8 hours maybe

Paradox_77OP•5/29/24, 8:08 AM

ah but my api gets scraped alot, like 2m+ requests a day and i estimate over 10% of them are bots

Paradox_77OP•5/29/24, 8:09 AM

so they'd just need to solve a captcha manually or through a service and then they have access for 8 hours before they need to do that all over again

PParadox_77 so they'd just need to solve a captcha manually or through a service and then th...

Rowin•5/29/24, 8:14 AM

The alternative (I think) is that your SPA will break after the token expires, and your users will be forced to manually refresh, because client side navigations don't trigger the UAM page of course

Rowin•5/29/24, 8:15 AM

I suppose inside your SPA you could detect the response code that the UAM page sends and trigger a refresh, but that's probably bad UX

RRowin The alternative (I think) is that your SPA will break after the token expires, a...

Paradox_77OP•5/29/24, 8:16 AM

yes thats whats happening now, but i dont really like that

RRowin I suppose inside your SPA you could detect the response code that the UAM page s...

Paradox_77OP•5/29/24, 8:17 AM

thats what i thought, my SPA only contacts the api in the first quarter of the user's visit (so if they use it for 3 hours, all the api stuff will be done by the 20th min)

Paradox_77OP•5/29/24, 8:18 AM

but then if the try to access the api again without reloading it'll be a disaster cuz then id have to reload

Rowin•5/29/24, 8:23 AM

Yep

Rowin•5/29/24, 8:25 AM

Perhaps you could implement Turnstile yourself, so it nicely integrates with your SPA

RRowin Perhaps you could implement Turnstile yourself, so it nicely integrates with you...

Paradox_77OP•5/29/24, 8:33 AM

I already have turnstile

Paradox_77OP•5/29/24, 8:33 AM

Turns out it's easy to make turnstile tokens

Paradox_77OP•5/29/24, 8:33 AM

It just takes 15 seconds

Rowin•5/29/24, 8:36 AM

Well... UAM uses Turnstile too iirc, right?

RRowin Well... UAM uses Turnstile too iirc, right?

Paradox_77OP•5/29/24, 8:41 AM

yes but its managed turnstile or something afaik

Paradox_77OP•5/29/24, 8:41 AM

what i use is invisible turnstile

Paradox_77OP•5/29/24, 8:41 AM

i cant make everyone wait for a captcha just to access it, that'd degrade UX too much

Paradox_77OP•5/29/24, 8:43 AM

well i suppose i can only turn it on when needed

Paradox_77OP•5/29/24, 8:43 AM

but its not perfect

PParadox_77 yes but its managed turnstile or something afaik

Rowin•5/29/24, 9:14 AM

But detection-wise it's pretty much the same, I think

RRowin But detection-wise it's pretty much the same, I think

Paradox_77OP•5/29/24, 9:29 AM

ah alright, ill give that a go tbh

Paradox_77OP•5/29/24, 9:30 AM

do you mind if i msg you later on if i need any assistance?

Rowin•5/29/24, 10:04 AM

Feel free

Paradox_77OP•5/29/24, 6:59 PM

Okay i tried doing that but i get this, im using react-turnstile

Paradox_77OP•5/29/24, 6:59 PM

TurnstileError: [Cloudflare Turnstile] Invalid or missing type for parameter "sitekey", expected "string", got "object"

Paradox_77OP•5/29/24, 6:59 PM

even though i have configured it properly

Putting API behind under attack mode makes it unusable from the frontend as CF blocks requests

Similar Threads

Similar Threads

Similar Threads