protecting my api subdomain

i'm trying to force managed challenge for my api endpoints but since the challenge only works in frontend i made a separate page that enforces challenge. once solved the cf_clearance cookie is obtained but the calls are to a subdomain and hence the cf_Clearance cookie is not passed to the request. how can i solve this?
16 Replies
BossMan
BossManOP3mo ago
preflight can be whitelisted when the request method is OPTIONS right? im really stuck, my search api is being abused using multiple random queries which i can't validate as well. im only manually blocking the attack by using some common patterns i find, this could trigger false positives as well is there no way to mitigate this?
tadhglewis
tadhglewis3mo ago
@Leo I don't think he's talking about preflight. Cookies and local/session storage is scoped to the domain and subdomain So you need to complete the challenge for each domain and set the cookie This might be slightly offtopic but - I am assuming your search api is unauthenticated? Users don't need to sign up? - If so, it's just natural that you will get junk requests. You are better of working on reliability of the API such as implementing rate limits Can you be more specific how it's being abused?
BossMan
BossManOP3mo ago
yes but my domain.com cannot send cookies of api.domain.com right? that's the problem oh but im not sure why only domain.com requests contains the cookie and not my api.domain.com as of now they're spamming my unauthenticated search api from various different ips using random length strings
tadhglewis
tadhglewis3mo ago
Is that impacting your service?
BossMan
BossManOP3mo ago
im manually blacklisting ip or blocking bassed on UA
tadhglewis
tadhglewis3mo ago
To be blunt, you will always get random spam on public internet
BossMan
BossManOP3mo ago
it does, the scale of attack is 10x more than my usual load increasing my cost drastically will try that
tadhglewis
tadhglewis3mo ago
If it's just a search API and frontend calls it, why not implement Turnstile? So before you click "Search" which requests the API with the input box text, you need to complete a recaptcha Then on your backend, you validate the captcha
Idle
Idle3mo ago
or use snippets if you are on pro or above
BossMan
BossManOP3mo ago
ah that's a good idea thanks so in the backend before i do expensive computing i call CF api to verify the token and proceed right?
tadhglewis
tadhglewis3mo ago
I think that's the most appropriate way to REDUCE the amount of spam - it will never be zero but this should cut 90%
BossMan
BossManOP3mo ago
yes that would reduce my cost too, thank you so much. i will look into implementing it
tadhglewis
tadhglewis3mo ago
Your backend would basically be
funtion
// verify turnstile token
// do compute
// return result
funtion
// verify turnstile token
// do compute
// return result
So you exit as early as possible if the token isn't valid or in the request
tadhglewis
tadhglewis3mo ago
Cloudflare Docs
Overview | Cloudflare Turnstile docs
Turnstile can be embedded into any website without sending traffic through Cloudflare and works without showing visitors a CAPTCHA.
tadhglewis
tadhglewis3mo ago
It's very similar to Google Recaptcha if you've done that before
BossMan
BossManOP3mo ago
this is my first time protecting api, will take a look (with captcha)
Want results from more Discord servers?
Add your server