cloudflarecaptchacloudflare-pages

Cloudflare managed challenge for all subdomains


(related question: Cloudflare Managed Challenge on API for SPA causing challenge not to be seen)

We have a frontend application running on Cloudflare Pages (ourapplication.com) and then backend services running in Google Cloud, proxied also via Cloudflare (backend.ourapplication.com).

We have set up a managed challenge for certain regions and it happens that the managed challenge is not invoked via the main application, but it is then invoked via API call to the backend service, which results in 403 errors.

Is there a way to handle these or enforce the managed challenge on the main application?


Solution

  • The key was to avoid managed challenge for OPTIONS requests, described here:

    https://developers.cloudflare.com/waf/reference/cloudflare-challenges/#cross-origin-resource-sharing-cors-preflight-requests