Facing CORS error while enabling I AM UNDER ATTACK MODE

TITLE: CORS Error While Security Set To I Am Under Attack

I am trying to setup cloudflare on my web application
I have two domains -

dev.app.com

dev.app.com

and

api.app.com

api.app.com

On enabling "I am under attack" in my CloudFlare, I start getting CORS errors -

Access to api.app.com from origin from dev.app.com has been blocked due to missing access-control-allow-origin header.

Access to api.app.com from origin from dev.app.com has been blocked due to missing access-control-allow-origin header.

I implemented

CORS

CORS

headers in my Java API backend
My

api.app.com

api.app.com

domain now has

Access-Control-Allow-Origin: https://dev.app.com

Access-Control-Allow-Origin: https://dev.app.com

header setup.

Why am I still facing error? What is the solution?

valkyrie_pilot•1/30/25, 5:43 AM

Cloudflare is likely returning a HTML challenge page for api.app.com, because it's in under attack mode. iirc under attack mode is very much not designed for being usable for APIs.

SodiumOP•1/30/25, 6:17 AM

but if I enable under attack mode during an actual attack, I don't want the application to break.
What can we do to fix it? The APIs should work as they are working when the under attack mode is set to or @valkyrie_pilot

SodiumOP•1/30/25, 6:18 AM

Even after implementing the header, I still get error.

SodiumOP•1/30/25, 6:19 AM

I visit

dev.app.com

dev.app.com

> Challenge Page Solved > Enter login credentails > Click on Login > API request to > request fails with

and gives the following error -

Access to api.app.com from origin from dev.app.com has been blocked due to missing access-control-allow-origin header.

Access to api.app.com from origin from dev.app.com has been blocked due to missing access-control-allow-origin header.

SodiumOP•1/30/25, 6:57 AM

@Hello, I’m Allie! sorry to ping you here but looking for some urgent help in this case. Trying to fix this from last one week but no luck. Will you please suggest a fix?

SSodium @Hello, I’m Allie! sorry to ping you here but looking for some urgent help in th...

Hello, I’m Allie!•1/30/25, 7:11 AM

?pings

SuperHelpflare•1/30/25, 7:11 AM

Please do not ping community members for non-moderation reasons. Doing so will not solve your issue faster and will make people less likely to want to help you.

HHello, I’m Allie!?pings

SodiumOP•1/30/25, 7:12 AM

I apologiesed earlier for pinging you

. But needed some urgent help with this issue.

valkyrie_pilot•1/30/25, 7:16 AM

the only reliable way to get urgent help from cloudflare is to drop four to six figures a month on an enterprise plan

Vvalkyrie_pilot the only reliable way to get urgent help from cloudflare is to drop four to six ...

SodiumOP•1/30/25, 7:17 AM

sad but true

SodiumOP•1/30/25, 7:18 AM

what do you suggest @valkyrie_pilot ? We are not able to solve this issue. There are no blogs or community posts describing this issue in detail. What can we do?

valkyrie_pilot•1/30/25, 7:19 AM

especially if your API is authenticated, consider setting up a seperate ddos protection layer for that API, and then not using under attack mode on said api

SodiumOP•1/30/25, 7:20 AM

what feature should I use to set this up?
Page Rules?

SodiumOP•1/30/25, 7:20 AM

setting Security to Essentially off;

SodiumOP•1/30/25, 7:20 AM

SodiumOP•1/30/25, 7:21 AM

for all api.app.com

SSodium setting Security to Essentially off;

Hello, I’m Allie!•1/30/25, 7:27 AM

Use the logs to find out what requests the attackers are making. Create firewall rules matching the attack patterns as close as possible. Disable UAM

SodiumOP•1/30/25, 9:08 AM

For any one facing this issue, we did the following -

Set up custom WAF rules for

api.app.com

api.app.com

Set action to
WAF components to skip: and

I tried searching a lot on internet for a solution, but none were a simple answer. Everywhere things were complex and no one pointed to do this.

Take care of your API on AWS or anywhere it is hosted.

SodiumOP•1/30/25, 9:08 AM

Thumbs Up

this thread if you visit in future and find this helpful.
Tags:

SodiumOP•1/30/25, 9:19 AM

@Leo Quick question. Although we disabled all security checks on API, while other endpoints in the application and main domain

dev.app.com

dev.app.com

is still protected by CloudFlare, is this still a good idea?

Alternatively, can I use HTTP Response Header Modification to dynamically add header to each response matching ? Would this be more approchable and secure implementation? Will it solve CORS error?

Original message was deleted

SodiumOP•1/30/25, 9:20 AM

where should I be whitelisting them? on CF?

SodiumOP•1/30/25, 9:21 AM

If I whitelist

OPTIONS

OPTIONS

requests, will the CF also parse following

GET

GET

POST

POST

requests of the same API call?
We are using JWT to authorise user on the platform.