Captcha without my request
I use the WAF extensivly, but for some reason (maybe since i'm flagged under DDOS?) some subdomains that I don't want to have captcha on (API domain) do have it.
What can I do?
18 Replies
Check Security -> Events for why there was a block/challenge, and depending on what it is, you can use Custom Rules to bypass it (if it's Free's Bot Fight Mode the only option is to disable it)
What about
X-Frame-Options that's being added when I don't want it? How can I remove it? @ChaikaEither coming from your origin or Rules -> Transform Rules -> Managed Transforms -> Http Response headers -> Add Security Headers
I have no rules in either
I do NOT want it to be added and CF adds it
it's not a rule you add, it's one of the managed transform options
where can i find it? didnt find it in the ddos override rules
Rules -> Transform Rules -> Managed Transforms
why would that be a ddos override?
The dash is a little messed right now, somethin they're working on, if you don't see the tab to the right of Modify Response headers retry in a bit
it's already enabled as a group and i can only toggle it on as a sub group
OK added this, seems to work
you want it disabled
that's another option yea
yeah it was already disabled
but still applied
what do you mean "enabled as a group and only toggle as a subgroup"?
sorry i read the title bad the
Enabled on top
because it was being applied and was off in the row, i thought the title meant Enabled for the entire sub group of options
anyway the rule that i added works (seems like it must be last) but I still don't know what made it add it in the first placeeh transform rules are cheap and solve it regardless of anything else, could just have been origin sending though. The managed transform would only have done it with the value of
SAMEORIGIN, if it was DENY or something else wouldn't be itnot from origin, seems to be sporadically added by CF from what I noticed (also found some people complain about the same issue online)
@Chaika what about CORS? now I see that it stripped my headers that allow it. Trying to add it via a rule like x-frame doesn't work
Grab the full response headers? Cf wouldn't touch access control headers unless told to do so, or using CF Access/something which explicitly does
Seems like it's a different issue, the captcha is being applied to an API route. Anyway to whitelist it?