Mobile App API getting 503 errors despite Skip rule matching - Bot Fight Mode disabled
Hi everyone,
I'm experiencing persistent 503 errors when my React Native mobile app (Expo SDK 54) tries to access my API endpoints through Cloudflare (specifically after authentication). I'm on the Free plan.
Setup:
Domain proxied through Cloudflare
Backend with Django API on Nginx, running via Cloudflare Tunnel
Mobile app in React Native (Expo) using Axios for HTTP requests
Custom header sent: X-Client-Type: mobile
What I've tried:
Created a custom WAF rule to skip protections:
Expression:
(any(http.request.headers["x-client-type"][*] eq "mobile"))
Action: Skip (all WAF components selected)
The rule seems to work, I can see it in security events with action "Skip" but it doesn't solve the problem.
Completely disabled "Bot Fight Mode" (although "JS Detection: On" still shows)
The User-Agent header is displayed correctly in events, but despite the Skip rule matching and Bot Fight Mode being disabled, I still get 503 errors with Cloudflare's JS challenge script in the response body:
<script>...window.__CF$cv$params...'/cdn-cgi/challenge-platform/scripts/jsd/main.js'...</script>
Questions:
What should I do? What could be the problem?
Is there another Cloudflare component that could still be blocking mobile app requests?
Is "JS Detection: On" the issue? I can't find a way to disable it separately.
The same API works perfectly from web browsers. Only the mobile app (which can't execute JS challenges) is affected.
Any help would be greatly appreciated!
I'm experiencing persistent 503 errors when my React Native mobile app (Expo SDK 54) tries to access my API endpoints through Cloudflare (specifically after authentication). I'm on the Free plan.
Setup:
Domain proxied through Cloudflare
Backend with Django API on Nginx, running via Cloudflare Tunnel
Mobile app in React Native (Expo) using Axios for HTTP requests
Custom header sent: X-Client-Type: mobile
What I've tried:
Created a custom WAF rule to skip protections:
Expression:
(any(http.request.headers["x-client-type"][*] eq "mobile"))
Action: Skip (all WAF components selected)
The rule seems to work, I can see it in security events with action "Skip" but it doesn't solve the problem.
Completely disabled "Bot Fight Mode" (although "JS Detection: On" still shows)
The User-Agent header is displayed correctly in events, but despite the Skip rule matching and Bot Fight Mode being disabled, I still get 503 errors with Cloudflare's JS challenge script in the response body:
<script>...window.__CF$cv$params...'/cdn-cgi/challenge-platform/scripts/jsd/main.js'...</script>
Questions:
What should I do? What could be the problem?
Is there another Cloudflare component that could still be blocking mobile app requests?
Is "JS Detection: On" the issue? I can't find a way to disable it separately.
The same API works perfectly from web browsers. Only the mobile app (which can't execute JS challenges) is affected.
Any help would be greatly appreciated!
