Production Users Getting cf-mitigated header

Hi, some of our users are getting the cf-mitigated = "challenge" header. My understanding is that they must complete a challenge to get the cf_clearance and then they can proceed. The problem is, it doesn't seem like there is any documentation on how to actually do this. The official docs (shown in the screenshot) don't go into any details on how to actually "handle" the challenge on the client. https://developers.cloudflare.com/waf/reference/cloudflare-challenges/
Challenges · Cloudflare Web Application Firewall (WAF) docs
When a website is protected by Cloudflare, there are several occasions when it will challenge visitor traffic:
No description
3 Replies
Erisa
Erisa11mo ago
The Cloudflare Blog
Integrating Turnstile with the Cloudflare WAF to challenge fetch re...
By editing or creating a new Turnstile widget with “Pre-Clearance” enabled, Cloudflare customers can now use Turnstile to issue a challenge when a page’s HTML loads, and enforce that all valid responses have a valid Turnstile token. They can then write a Cloudflare WAF rule to challenge all requests to their API. The Cloudflare WAF will check fo...
justjumper
justjumperOP11mo ago
Ahh thanks! How does this work with a separate domain though? In our case, the site is www.<site>.com but the api is api.<site>.com So the OPTIONS request fails before it even has the chance to send the cf_clearance cookie. This issue is noted here: https://developers.cloudflare.com/waf/reference/cloudflare-challenges/#cross-origin-resource-sharing-cors-preflight-requests, though there is no solution provided.
Challenges · Cloudflare Web Application Firewall (WAF) docs
When a website is protected by Cloudflare, there are several occasions when it will challenge visitor traffic:
Metriusz
Metriusz11mo ago
For the CORS headers, you can set up a transform rule to modify those in the response
Want results from more Discord servers?
Add your server