Basically, if Cloudflare doesn’t like anything at all about you, you’ll get a verification page. And, since apparently Cloudflare only has object permanence for Chromium, they’ll flag other browsers as suspicious and force you to jump hoops for using them.
Just wanna note that the domain owner is the one who elected to use that level of security check, though TBF CF doesn’t make it very granular (and why enterprises tend to use their own WAFs)
Edit: for the record I don’t at all judge. Web has rampant bit activity these days and it’s a lot even for a large team.
Slash there are other settings in CF that could affect the behavior so it could be something else. Sae a comment that it was login-aware which makes me think it’s more than just the security levels
there are quite a few ways to use more granular targeting. for example, we have specific url patterns that get challenged if certain headers have certain values and are missing others, while other urls won’t get challenged.
we’re currently challenging visitors who aren’t logged in regardless of the browser due to extremely aggressive LLM scrapers. as long as you’re staying logged in you won’t get challenged.
it would be trivial for them to not DDoS and yet they keep doing it.
if they were calling Lemmy APIs directly they would significantly reduce the load they bring to our service. if they were speaking ActivityPub they could even get the content delivered to their front door directly via federation.
they don’t care that they DDoS websites. they don’t care about optimizing for how certain types of websites are built, to reduce impact on third parties. the only language they speak is DDoS.
they intentionally spoof legitimate browser user agents and cycle through massive ranges of IP addresses. they have enormous pools of IPv4 addresses available that allow them to only use each IP for a couple of requests before cycling to the next one, which is yet another way they evade detection, as they are bypassing any rate limits we have configured that way.
Are the verification pages for everyone or just more privacy focused browsers? They seem very common.
Basically, if Cloudflare doesn’t like anything at all about you, you’ll get a verification page. And, since apparently Cloudflare only has object permanence for Chromium, they’ll flag other browsers as suspicious and force you to jump hoops for using them.
Just wanna note that the domain owner is the one who elected to use that level of security check, though TBF CF doesn’t make it very granular (and why enterprises tend to use their own WAFs)
https://duckduckgo.com/?q=cloudflare+security+levels&ia=images&iax=images&iai=https%3A%2F%2Fmediafortress.com.au%2Fwp-content%2Fuploads%2F2022%2F08%2FCloudflare-security-level.gif
Edit: for the record I don’t at all judge. Web has rampant bit activity these days and it’s a lot even for a large team.
Slash there are other settings in CF that could affect the behavior so it could be something else. Sae a comment that it was login-aware which makes me think it’s more than just the security levels
there are quite a few ways to use more granular targeting. for example, we have specific url patterns that get challenged if certain headers have certain values and are missing others, while other urls won’t get challenged.
we’re currently challenging visitors who aren’t logged in regardless of the browser due to extremely aggressive LLM scrapers. as long as you’re staying logged in you won’t get challenged.
Isn’t it trivial for scrapers to provide login credentials? Or is a login wall sufficient to keep the scrapers away?
it would be trivial for them to not DDoS and yet they keep doing it.
if they were calling Lemmy APIs directly they would significantly reduce the load they bring to our service. if they were speaking ActivityPub they could even get the content delivered to their front door directly via federation.
they don’t care that they DDoS websites. they don’t care about optimizing for how certain types of websites are built, to reduce impact on third parties. the only language they speak is DDoS.
they intentionally spoof legitimate browser user agents and cycle through massive ranges of IP addresses. they have enormous pools of IPv4 addresses available that allow them to only use each IP for a couple of requests before cycling to the next one, which is yet another way they evade detection, as they are bypassing any rate limits we have configured that way.