Project is blocked by WAF - 403 Forbidden on Preflight and CORS Error

Hello,

I have identified a critical block on my project. My auth.signUp function is being blocked at the network level. This is not a configuration issue.

When my website attempts to sign up a user, the browser's preflight OPTIONS request to auth/v1/signup is receiving a 403 Forbidden status code.

This results in a full CORS block in the browser, even in a clean Incognito window. I have already confirmed my URL Configuration settings are correct.

This 403 Forbidden response strongly indicates that my domain/IP has been automatically blocklisted by your Web Application Firewall (WAF) due to extensive (but legitimate) testing.

My project is completely blocked. Anyone have experience, or can help with this?

Thank you.

garyaustin•11/8/25, 1:02 PM

I'm skeptical you are being blocked. Supabase has not IP specific blocking other than DDOS attack from cloudflare.

You might cover a bit more on how you are making this call?
I assume it does not show up in the API Gateway logs.
Was it working and then stopped?

Ggaryaustin I'm skeptical you are being blocked. Supabase has not IP specific blocking othe...

Frankie RosenbergOP•11/8/25, 3:28 PM

Hello @garyaustin

Thank you for the quick reply. I understand this is a very strange issue. While it may not be a manual IP block, the evidence from the browser's network console is undeniable, and it points to an automated block.

The Undeniable Evidence: 403 Forbidden on Preflight Request
To be clear, the root of the problem is not a simple CORS misconfiguration. In a clean Incognito window, the browser's OPTIONS preflight request to auth/v1/signup is receiving a 403 Forbidden status code.

Because this preflight request is being actively forbidden by the server, the browser never receives the Access-Control-Allow-Origin header and subsequently reports a CORS error. The CORS error is the symptom; the 403 Forbidden is the cause.

How the Call Is Being Made
To answer your question, I am using the standard supabase.auth.signUp method from the official supabase-js library. The call is made inside a standard event listener. Here is the exact code block:

 if ($('btnSignup')) {
    $('btnSignup').addEventListener('click', async (e) => {
        e.preventDefault();

        const email = $('signupEmail').value.trim();
        const password = $('signupPass').value;
        // ... gather other form data

        try {
            const { data, error } = await supabase.auth.signUp({
                email,
                password,
                options: { 
                    data: { 
                        is_customer: isCustomer, 
                        is_supplier: isSupplier, 
                        is_admin: false 
                    } 
                }
            });

            if (error) {
                console.error("Supabase API Error:", error);
                alert("An API error occurred: " + error.message);
            } else {
                alert('Account created successfully!');
            }
        } catch (exception) {
            console.error("A critical low-level exception was caught:", exception);
        }
    });
}

 if ($('btnSignup')) {
    $('btnSignup').addEventListener('click', async (e) => {
        e.preventDefault();

        const email = $('signupEmail').value.trim();
        const password = $('signupPass').value;
        // ... gather other form data

        try {
            const { data, error } = await supabase.auth.signUp({
                email,
                password,
                options: { 
                    data: { 
                        is_customer: isCustomer, 
                        is_supplier: isSupplier, 
                        is_admin: false 
                    } 
                }
            });

            if (error) {
                console.error("Supabase API Error:", error);
                alert("An API error occurred: " + error.message);
            } else {
                alert('Account created successfully!');
            }
        } catch (exception) {
            console.error("A critical low-level exception was caught:", exception);
        }
    });
}

Frankie RosenbergOP•11/8/25, 3:28 PM

What We Have Already Ruled Out
We have exhaustively ruled out all common client-side and configuration issues:

CORS/URL Configuration: My settings in Authentication -> URL Configuration are correct and include both https://biddr.no and https://www.biddr.no.

Client-Side Code: The code correctly uses e.preventDefault() and the Supabase JS library as documented.

API Keys: The correct anon key is being used.

Backend Functionality: The inviteUserByEmail function works correctly, proving my SMTP settings are fine and that the server can send emails. The block is specific to the anonymous signUp context.

Rate Limits: My project is nowhere near its hourly email quota, which points to a stricter, automated "burst" or "security" limit.

My Hypothesis
The 403 Forbidden response strongly suggests that an automated security layer (like the Cloudflare WAF you mentioned) has incorrectly flagged my domain/IP for the repeated (but legitimate) testing I performed while debugging.

Could you please advise on how to get this 403 Forbidden block investigated by the infrastructure team? The evidence points to something beyond my control as a developer and is completely blocking my project's launch.

garyaustin•11/8/25, 3:45 PM

I seriously doubt you are being blocked by security.
But there is nothing anyone here can do if you are.
Contact support thru the feedback tab is the only way to get hold of the Supabase team.

garyaustin•11/8/25, 3:45 PM

Did this work at one time?

garyaustin•11/8/25, 3:46 PM

DDOS would not trigger for events a minute type stuff.

garyaustin•11/8/25, 3:47 PM

403 forbidden could be APIkey not being correct for the instance.
Do you see anything in the API Gateway log of the dashboard?

Frankie RosenbergOP•11/8/25, 3:48 PM

Yes, it worked perfectly before. The 403 Forbidden errors began immediately after I started making rapid DNS changes (adding/removing TXT and MX records) to configure a custom SMTP provider (one.com, then Resend).

garyaustin•11/8/25, 3:49 PM

Are you using a supabase custom domain?
Otherwise what do those have to do with your Supabase instance receiving an http request.

garyaustin•11/8/25, 3:53 PM

Also check your Auth dashboard log for signup.
Did the Gateway API log have the signup?

Frankie RosenbergOP•11/8/25, 4:01 PM

I have checked the API Gateway logs in the dashboard as you requested. The logs show successful 200.

The user account is created successfully, but the final step of sending the confirmation email is being blocked.

garyaustin•11/8/25, 4:01 PM

So the auth log shows an email error?

garyaustin•11/8/25, 4:03 PM

If so then your SMTP settings with SB or your provider (as you mentioning changing DNS in that context) are likely wrong and getting the error communicating with the provider.

Not sure how that would flow back to a CORs error though in your app especially if you see a 200 return on the /signup endpoint.

Frankie RosenbergOP•11/8/25, 4:26 PM

Thank you. After some testing, I have a summary of the issue.

I did see a 200 OK on a sign-up once, but it was a temporary anomaly. The persistent issue is a server-side block.

The core evidence is this:
When I attempt a sign-up and receive a 403 Forbidden error in my browser's network tab, nothing appears in the API Gateway log at all. The request is completely missing.

This proves the 403 block is happening at a network layer in front of the API Gateway, which points directly to a WAF or a similar edge security rule. The Supabase application itself never even sees the request by the looks of it.

garyaustin•11/8/25, 4:28 PM

You could try a VPN and/or Postman/Curl to double check.
But with the info you have so far not much for anyone to help with here.
I've not heard of a block before in normal use.

Frankie RosenbergOP•11/8/25, 4:42 PM

Thanks for the suggestion to use curl. I ran the test, and its not a Supabase API error at all; it's a Cloudflare block page.
The curl command didn't return JSON. It returned a full HTML page with the title:
<h1>Sorry, you have been blocked</h1>
This proves the request is being stopped by a WAF before it even reaches Supabase. It seems my earlier DNS changes and testing must have triggered an automated security rule.
Any idea what my next steps should be to get this WAF block removed? I'm completely stuck until this is lifted. Thanks for your help

garyaustin•11/8/25, 4:46 PM

Is this just your development environment?
If so can you use a VPN for now or is this coming from serverside code.
As I said not really seen a Cloudflare block before myself.

garyaustin•11/8/25, 4:46 PM

You should also file a support request in the mean time.

garyaustin•11/8/25, 4:48 PM

Not exactly your case...
https://github.com/supabase/supabase-js/issues/987

garyaustin•11/8/25, 4:51 PM

Cloudflare Blocking All Signup/Login Requests

Frankie RosenbergOP•11/8/25, 4:53 PM

Nice, thank you I will look at it. A ticket was opened a few days ago actually, just did not get any reply.

Frankie RosenbergOP•11/8/25, 9:17 PM

@garyaustin Thank you so much for your help and for that GitHub link.

Just to close the loop: I went ahead and built the Edge Function workaround. The crazy part is, the network is blocking the call to the Edge Function too. My curl requests to the function also time out with no response, and nothing ever hits my function logs.

It looks to be a network-level block. I am just going to wait for a response from support. Would you know if its rare if they priorities free accounts? Appreciate all your help!

garyaustin•11/8/25, 9:20 PM

My observation is it will be luck of the draw on how you describe your issue and its impact if they get to it "quickly" which will still be days most likely, especially over a weekend.

Did you try a VPN to see if it is your IP?
I still don't understand how a domain you have would be involved with a cloudflare block especially if doing curl which is from your local device/network.

if ($('btnSignup')) { $('btnSignup').addEventListener('click', async (e) => { e.preventDefault(); const email = $('signupEmail').value.trim(); const password = $('signupPass').value; // ... gather other form data try { const { data, error } = await supabase.auth.signUp({ email, password, options: { data: { is_customer: isCustomer, is_supplier: isSupplier, is_admin: false } } }); if (error) { console.error("Supabase API Error:", error); alert("An API error occurred: " + error.message); } else { alert('Account created successfully!'); } } catch (exception) { console.error("A critical low-level exception was caught:", exception); } }); }

Project is blocked by WAF - 403 Forbidden on Preflight and CORS Error

Similar Threads

Similar Threads

Similar Threads