Disable Cloudflare captcha on website

The Cloudflare managed challenge, aka the Cloudflare captcha is not needed and only serves as an annoyance to legitimate users.

(http.request.uri.path contains "/api/v1" and not http.referer contains "https://restorecord.com")

This Cloudflare WAF ruleset expression with the action block will be plenty, I’m positive.

Try it out, you’ll see how you don’t need a managed challenge.

Managed captchas usually get served to users using bad vpns or have suspicious activity on their ips, actual legitimate users shouldnt be receiving captchas. There will be false positives obviously.

Check with xenos, I don’t think that’s the case.

image

My IP is a completely clean home IP. Also I don’t get triggered by Cloudflare security level high setting. So am pretty sure managed challenge is for everyone currently.

Hmm ill check with xenos, but according to cloudflare statistics, less than 3% of all requests sent to RestoreCord in the last 24h received a captcha. So I’m pretty sure this isnt a major issue.

All new users get it. And first impression matters a lot. The challenge passage is set to a year so the users don’t get it again after a year of completing it.

Visit RestoreCord in a private window of your browser, and you’ll get a interstitial Cloudflare page too.

Because RC is using Next.js now, the pages that the user visits are just HTML. Meaning there would need to be like a blillion requests to cause any lag by DDoSing the HTML file.

And the JavaScript included in the HTML file sends a referrer to the API when requesting it, telling it what website requested the API. This is the referrer header. It can’t be spoofed, Cloudflare WAF blocks any attempts to spoof referrer header. So, the rule I proposed at the start of the thread is a great way to stop DDoS to API, the only vulnerable property now that everything else is HTML.

The “all new users get it” only happens on the community page not on the main site, I never got captcha on the main site only this community page

I do get it on the main site, and the community site. Managed challenge on community site makes sense but main site doesn’t.

Safari iPhone - Ray ID: 750778d7ad9a56c2
Windows Chrome - Ray ID: 75077a09089f5a4c
Windows Firefox - Ray ID: 75077ab7bbab577c

those are blocked because of the ISP, there has probably been a few attacks from it

Edit from Bl4ckBl1zz:
we blocked your current ASN because we have received many ddos attacks from them.

That ASN is widely used by people in the US. It’s a very well known company, and it would take near a billion requests for a DDoS to down an HTML page.

So, blocking that ASN seems dumb. Same with Comcast (AS7922) if you have Comcast blocked too.

Yes, there are resedential proxies avaliable on Comcast and the ASN I’m on right now. Though there’s a greater number of people using those ASNs for legitimate use than people who use those ASNs for DDoSing.

It’s going to be very very very hard to DDoS an HTML file, plus you’re caching the files so it’s not needed at all.

I’ve never seen anyone actually complain about the captcha, the ASN you had roughly around 200 requests in the last 24h. And even tho the page is HTML it still seems to use some bandwidth on larger attacks

If the page is cached, which it is, none of that bandwidth shown in Cloudflare dashboard goes to backend.

Comcast AS7922 and the ASN I’m on atm are very large companies in the U.S. Maybe comcast more so than the ASN I’m on, but yeah there’s no good reason to challenge them. Only 1 or 2 people are probably using those ASNs to DDoS, the rest are legitimate users.

yeah idk, those attacks were 100Mil+ but I removed the captcha four your current ASN and Comcast wasn’t getting challenged