Facing CORS error while enabling I AM UNDER ATTACK MODE
TITLE: CORS Error While Security Set To I Am Under Attack
I am trying to setup cloudflare on my web application
I have two domains -
dev.app.com and api.app.com
On enabling "I am under attack" in my CloudFlare, I start getting CORS errors - Access to api.app.com from origin from dev.app.com has been blocked due to missing access-control-allow-origin header.
I implemented CORS headers in my Java API backend
My api.app.com domain now has Access-Control-Allow-Origin: https://dev.app.com header setup.
Why am I still facing error? What is the solution?11 Replies
Cloudflare is likely returning a HTML challenge page for api.app.com, because it's in under attack mode. iirc under attack mode is very much not designed for being usable for APIs.
but if I enable under attack mode during an actual attack, I don't want the application to break.
What can we do to fix it? The APIs should work as they are working when the under attack mode is set to or
medium @valkyrie_pilot
Even after implementing the header, I still get error.
I visit dev.app.com > Challenge Page Solved > Enter login credentails > Click on Login > API request to api.app.com/authenticate > request fails with 403 and gives the following error - Access to api.app.com from origin from dev.app.com has been blocked due to missing access-control-allow-origin header.
@Hello, I’m Allie! sorry to ping you here but looking for some urgent help in this case. Trying to fix this from last one week but no luck. Will you please suggest a fix??pings
Please do not ping community members for non-moderation reasons. Doing so will not solve your issue faster and will make people less likely to want to help you.
I apologiesed earlier for pinging you 🙏 . But needed some urgent help with this issue.
the only reliable way to get urgent help from cloudflare is to drop four to six figures a month on an enterprise plan
sad but true
what do you suggest @valkyrie_pilot ? We are not able to solve this issue. There are no blogs or community posts describing this issue in detail. What can we do?
especially if your API is authenticated, consider setting up a seperate ddos protection layer for that API, and then not using under attack mode on said api
what feature should I use to set this up?
Page Rules?
setting Security to Essentially off;
?
for all api.app.com
Use the logs to find out what requests the attackers are making. Create firewall rules matching the attack patterns as close as possible. Disable UAM
For any one facing this issue, we did the following -
Set up custom WAF rules for
api.app.com
Set action to Skip
WAF components to skip: Security Levels and All Super Bot Fight Mode Rules
I tried searching a lot on internet for a solution, but none were a simple answer. Everywhere things were complex and no one pointed to do this.
Take care of your API on AWS or anywhere it is hosted.
Thumbs Up 👍 this thread if you visit in future and find this helpful.
Tags: CORS Error
@Leo Quick question. Although we disabled all security checks on API, while other endpoints in the application and main domain dev.app.com is still protected by CloudFlare, is this still a good idea?
Alternatively, can I use HTTP Response Header Modification to dynamically add Access-Controll-Allow-Origin: https://dev.app.com header to each response matching api.dev.com? Would this be more approchable and secure implementation? Will it solve CORS error?
where should I be whitelisting them? on CF?
If I whitelist OPTIONS requests, will the CF also parse following GET, POST requests of the same API call?
We are using JWT to authorise user on the platform.