Putting API behind under attack mode makes it unusable from the frontend as CF blocks requests
I put my frontend and api on under attack when i was being ddos and, but when fetching my api from the frontend my requests get blocked. Can i do something like relative clearance? For example, if my the user has already verified on the frontend can I let them use the api
27 Replies
@Paradox_77 host the api under same domain. like instead of
api.xnxx.com use xnxx.com/api/ so cookie persists otherwise it won't since they are two different namesAh alright, that's a great idea thanks 👍
I did this but my web app can cache itself for a long time
so how long does the cf clearance live for?
Configurable, 30 minutes by default
Where can i configure that
Under security -> settings
Challenge Passage
okay 👍, but the cookie sets for 1 year?
Yeah that's normal, but it's only valid for the time you configured
ah i see
so i'd have to set my web app to only cache for 30 mins cuz then the browser would serve cached data but the token would be invalid
Is it a SPA?
yes
It's probably a good idea to browser cache for no longer than the passage time then yeah
UAM runs before Cloudflare's cache though, so you can cache on Cloudflare for longer
ah perfect, ill cache for 15 minutes on the client and cache it on cloudflare edge cache
thank you so much for helping me with this 👍
And I'd set the passage time to 8 hours maybe
Since SPAs use client side navigation
ah but my api gets scraped alot, like 2m+ requests a day and i estimate over 10% of them are bots
so they'd just need to solve a captcha manually or through a service and then they have access for 8 hours before they need to do that all over again
The alternative (I think) is that your SPA will break after the token expires, and your users will be forced to manually refresh, because client side navigations don't trigger the UAM page of course
I suppose inside your SPA you could detect the response code that the UAM page sends and trigger a refresh, but that's probably bad UX
yes thats whats happening now, but i dont really like that
thats what i thought, my SPA only contacts the api in the first quarter of the user's visit (so if they use it for 3 hours, all the api stuff will be done by the 20th min)
but then if the try to access the api again without reloading it'll be a disaster cuz then id have to reload
Yep
Perhaps you could implement Turnstile yourself, so it nicely integrates with your SPA
I already have turnstile
Turns out it's easy to make turnstile tokens
It just takes 15 seconds
Well... UAM uses Turnstile too iirc, right?
yes but its managed turnstile or something afaik
what i use is invisible turnstile
i cant make everyone wait for a captcha just to access it, that'd degrade UX too much
well i suppose i can only turn it on when needed
but its not perfect
But detection-wise it's pretty much the same, I think
ah alright, ill give that a go tbh
do you mind if i msg you later on if i need any assistance?
Feel free
Okay i tried doing that but i get this, im using react-turnstile
TurnstileError: [Cloudflare Turnstile] Invalid or missing type for parameter "sitekey", expected "string", got "object"
even though i have configured it properly