Request to API behind a challenge managed between different domains
I'm trying to replicate what was discussed in this topic, but I'm having trouble.
https://blog.cloudflare.com/id-id/integrating-turnstile-with-the-cloudflare-waf-to-challenge-fetch-requests/
Can anyone help me?
Blog Cloudflare
Integrating Turnstile with the Cloudflare WAF to challenge fetch re...
By editing or creating a new Turnstile widget with “Pre-Clearance” enabled, Cloudflare customers can now use Turnstile to issue a challenge when a page’s HTML loads, and enforce that all valid responses have a valid Turnstile token. They can then write a Cloudflare WAF rule to challenge all requests to their API. The Cloudflare WAF will check fo...
1 Reply
^ I'm looking to do the same thing, but for a website on domain-1.com making requests to an api on domain-02.com
Are you aware of another way to solve the issue above to allow for challenges against an XHR request to legitimate requests make it through but attacks are stopped?
I wonder if you could action something based upon a failed preflight request though? If the user has passed the challenge surely any follow up queries on teh OPTIONs would be allowed?
Or because OPTIONS aren't super weighty, allow the OPTIONS requests to bypass the WAF and just limit the POST and GET ?
My hope is that this would be such a common issue across the internet that someone has found a secure solutions.... and blogged about it 😄
true, but we could put a rate limit as well on that right?
Ergh, I'll do some more research. Thanks for the insights @Leo 🙏