Cloudflare Developers•2mo ago

protecting my api subdomain

i'm trying to force managed challenge for my api endpoints but since the challenge only works in frontend i made a separate page that enforces challenge. once solved the cf_clearance cookie is obtained but the calls are to a subdomain and hence the cf_Clearance cookie is not passed to the request. how can i solve this?

16 Replies

BossManOP•2mo ago

preflight can be whitelisted when the request method is OPTIONS right? im really stuck, my search api is being abused using multiple random queries which i can't validate as well. im only manually blocking the attack by using some common patterns i find, this could trigger false positives as well is there no way to mitigate this?

tadhglewis•2mo ago

@Leo I don't think he's talking about preflight. Cookies and local/session storage is scoped to the domain and subdomain So you need to complete the challenge for each domain and set the cookie This might be slightly offtopic but - I am assuming your search api is unauthenticated? Users don't need to sign up? - If so, it's just natural that you will get junk requests. You are better of working on reliability of the API such as implementing rate limits Can you be more specific how it's being abused?

BossManOP•2mo ago

yes but my domain.com cannot send cookies of api.domain.com right? that's the problem oh but im not sure why only domain.com requests contains the cookie and not my api.domain.com as of now they're spamming my unauthenticated search api from various different ips using random length strings

tadhglewis•2mo ago

Is that impacting your service?

BossManOP•2mo ago

im manually blacklisting ip or blocking bassed on UA

tadhglewis•2mo ago

To be blunt, you will always get random spam on public internet

BossManOP•2mo ago

it does, the scale of attack is 10x more than my usual load increasing my cost drastically will try that

tadhglewis•2mo ago

If it's just a search API and frontend calls it, why not implement Turnstile? So before you click "Search" which requests the API with the input box text, you need to complete a recaptcha Then on your backend, you validate the captcha

Idle•2mo ago

or use snippets if you are on pro or above

BossManOP•2mo ago

ah that's a good idea thanks so in the backend before i do expensive computing i call CF api to verify the token and proceed right?

tadhglewis•2mo ago

I think that's the most appropriate way to REDUCE the amount of spam - it will never be zero but this should cut 90%

BossManOP•2mo ago

yes that would reduce my cost too, thank you so much. i will look into implementing it

tadhglewis•2mo ago

Your backend would basically be

funtion
// verify turnstile token
// do compute
// return result

funtion
// verify turnstile token
// do compute
// return result

So you exit as early as possible if the token isn't valid or in the request

tadhglewis•2mo ago

https://developers.cloudflare.com/turnstile/

Cloudflare Docs

Overview | Cloudflare Turnstile docs

Turnstile can be embedded into any website without sending traffic through Cloudflare and works without showing visitors a CAPTCHA.

tadhglewis•2mo ago

It's very similar to Google Recaptcha if you've done that before

BossManOP•2mo ago

this is my first time protecting api, will take a look (with captcha)

Gaming

Programming

protecting my api subdomain