Cloudflare WAF
Hello, I am curious if this is possible with Cloudflare WAF as one of my competitors does this. Whenever you visit their API directly (ex. https://api.domaingoeshere.com) it issues a Managed Challenge, but if you send a request from the front-end such as your loading a page and it sends a request to get information to load such as our customer count, it won't issue a managed challenge.
17 Replies
Well I'm wondering how to do it sorry if i was not specific
I could use headers to detect if your logged in to the API but that'd be spoofable
I mean it is possible, just in a way where it's secure.
My first guess is headers, but that's spoofable
My second guess is using the CF API?
@Joe Swanson If what you're saying is you'd like to issue a Managed Challenge for whenever someone accesses https://api.domaingoeshere.com, you could do that via the Cloudflare WAF:
This would only trigger when a user tries to access that exact URI.
Of course, this wouldn't stop a user from accessing a different URI without having to resolve the Managed Challenge.
Would this only issue if they visit from typing it in their browser rather than in our front end code for example?
Yes, as long as they type in "https://api.domaingoeshere.com/" exactly, without adding anything at the end of the URI.
If you need to make that same request from your front end code, then this would not work.
In any case, it is always good practice to ensure that the API backend code is safe and as free of vulnerabilities as possible, given that a malicious actor could easily circumvent the Managed Challenge. If you're worried about getting DDOS'd, a rate limit rule in the WAF would be a pretty good solution.
Ratelimiting on Cloudflare is really restrictive on Free- to a point where it isn't ideal for for a API
I do not plan on paying just for ratelimiting and extra analytics
Most of Pros features are bs
Yeah, it's a bit of a shame. Perhaps something could be done with Workers, but then again, you'd probably hit a limit pretty early on without a paid plan.
From what I've read, in order to implement a decent rate limiting system with Workers you would need Durable Objects, which is a paid feature, so I guess that is out of the question.
Though you wouldn't need to subscribe to Pro, you would just need the paid Workers plan, which is $5 plus overages.
CF Pro isn't worth it as it's only features that improve protection won't help
CF Filtering is really ass
Its leakage is massive
Any way that a browser can request your API can be replicated in any automated tooling.
Headers are less reliable.
This would be more to stop skids.
The people DDosing me won't modify their net
š¤·āāļø
They'll use some skidded method with a decent chunk of power
If 100k RPS leaks, I believe my orgin could handle it.
Resource wise especially
Anyone know how I can make it so on the header variable I can have it check if the value is a interger
Mhm, I do not see your point though, the same applies for anything you configure in WAF?
Anything CF makes can be bypassed
The point is to configure it in a custom way for your site
and the chances they will reverse engineer is slow
Who'd put that much effort
Perhaps I could use Cloudflare API to challenge specific requests?
or nah
I do not believe this would do the functionality I want, but we'll see.
What would you do that isn't as simple as them looking at the request in DevTools & just doing that in any tooling of their choice?
A browser is probably the worst thing you can try to secure as far as subrequests go.
This seemed to work, I do not receive any challenges/errors when I try to login through the dashboard, but if I go to the API it'll challenge me
Nice
Is there any difference between Managed Challenge non-interactive challenge and JS Challenge?
there are big differences yea, tldr would be Managed Challenge is generally the one you want, it's super smart and picks the right challenge to use for you based on request characteristics:
https://developers.cloudflare.com/fundamentals/get-started/concepts/cloudflare-challenges/#managed-challenge-recommended
Cloudflare challenges Ā· Cloudflare Fundamentals docs
When a website is protected by Cloudflare, there are several occasions when it will challenge visitor traffic:
nope
Already aware.
HCaptcha was a better system than Turnstile though š¦
Legit cannot find out to challenge requests coming to my API and not from my front-end without causing CORs issues.