Putting API behind under attack mode makes it unusable from the frontend as CF blocks requests

I put my frontend and api on under attack when i was being ddos and, but when fetching my api from the frontend my requests get blocked. Can i do something like relative clearance? For example, if my the user has already verified on the frontend can I let them use the api
27 Replies
vinc
vinc7mo ago
@Paradox_77 host the api under same domain. like instead of api.xnxx.com use xnxx.com/api/ so cookie persists otherwise it won't since they are two different names
Paradox_77
Paradox_77OP7mo ago
Ah alright, that's a great idea thanks 👍 I did this but my web app can cache itself for a long time so how long does the cf clearance live for?
Rowin
Rowin7mo ago
Configurable, 30 minutes by default
Paradox_77
Paradox_77OP7mo ago
Where can i configure that
Rowin
Rowin7mo ago
Under security -> settings Challenge Passage
Paradox_77
Paradox_77OP7mo ago
okay 👍, but the cookie sets for 1 year?
Paradox_77
Paradox_77OP7mo ago
No description
Rowin
Rowin7mo ago
Yeah that's normal, but it's only valid for the time you configured
Paradox_77
Paradox_77OP7mo ago
ah i see so i'd have to set my web app to only cache for 30 mins cuz then the browser would serve cached data but the token would be invalid
Rowin
Rowin7mo ago
Is it a SPA?
Paradox_77
Paradox_77OP7mo ago
yes
Rowin
Rowin7mo ago
It's probably a good idea to browser cache for no longer than the passage time then yeah UAM runs before Cloudflare's cache though, so you can cache on Cloudflare for longer
Paradox_77
Paradox_77OP7mo ago
ah perfect, ill cache for 15 minutes on the client and cache it on cloudflare edge cache thank you so much for helping me with this 👍
Rowin
Rowin7mo ago
And I'd set the passage time to 8 hours maybe Since SPAs use client side navigation
Paradox_77
Paradox_77OP7mo ago
ah but my api gets scraped alot, like 2m+ requests a day and i estimate over 10% of them are bots so they'd just need to solve a captcha manually or through a service and then they have access for 8 hours before they need to do that all over again
Rowin
Rowin7mo ago
The alternative (I think) is that your SPA will break after the token expires, and your users will be forced to manually refresh, because client side navigations don't trigger the UAM page of course I suppose inside your SPA you could detect the response code that the UAM page sends and trigger a refresh, but that's probably bad UX
Paradox_77
Paradox_77OP7mo ago
yes thats whats happening now, but i dont really like that thats what i thought, my SPA only contacts the api in the first quarter of the user's visit (so if they use it for 3 hours, all the api stuff will be done by the 20th min) but then if the try to access the api again without reloading it'll be a disaster cuz then id have to reload
Rowin
Rowin7mo ago
Yep Perhaps you could implement Turnstile yourself, so it nicely integrates with your SPA
Paradox_77
Paradox_77OP7mo ago
I already have turnstile Turns out it's easy to make turnstile tokens It just takes 15 seconds
Rowin
Rowin7mo ago
Well... UAM uses Turnstile too iirc, right?
Paradox_77
Paradox_77OP7mo ago
yes but its managed turnstile or something afaik what i use is invisible turnstile i cant make everyone wait for a captcha just to access it, that'd degrade UX too much well i suppose i can only turn it on when needed but its not perfect
Rowin
Rowin7mo ago
But detection-wise it's pretty much the same, I think
Paradox_77
Paradox_77OP7mo ago
ah alright, ill give that a go tbh do you mind if i msg you later on if i need any assistance?
Rowin
Rowin7mo ago
Feel free
Paradox_77
Paradox_77OP7mo ago
Okay i tried doing that but i get this, im using react-turnstile
Paradox_77
Paradox_77OP7mo ago
TurnstileError: [Cloudflare Turnstile] Invalid or missing type for parameter "sitekey", expected "string", got "object"
No description
Paradox_77
Paradox_77OP7mo ago
even though i have configured it properly
Want results from more Discord servers?
Add your server