wiredepth
Run a check

Docs · Cloudflare bypass

Bypassing the Cloudflare bot challenge

Wiredepth's API sits behind Cloudflare. Cloudflare auto-challenges requests from IP ranges with a high bot score - GitHub Actions runners, AWS Lambda IPs, the Vercel build pool, public VPNs, and most cloud datacenter ranges. When that happens you see:

403 Forbidden
<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title>

The CLI detects this case and prints a one-liner pointing back here. The fix is in Cloudflare; the operator (you, the wiredepth.com admin) has to apply it.

Option A - allowlist /api/v1/* (recommended)

Tell Cloudflare not to bot-challenge any path under /api/v1/. The public check endpoints are designed to be hit by scripts and already enforce per-IP rate limiting server-side (freeBurstGate('cli-check')), so dropping the bot challenge does not open the door to abuse.

  1. Cloudflare dashboard for wiredepth.com-> Security -> WAF -> Custom rules -> Create rule
  2. Name: "Skip bot challenge for /api/v1"
  3. Field: URI Path. Operator: starts with. Value: /api/v1/
  4. Action: Skip -> "All managed rules" + "Super Bot Fight Mode"
  5. Deploy. Verify with a curl from a flagged IP.

Option B - require a CI bypass header

If you want to keep the challenge on by default and bypass only for trusted callers:

  1. Generate a 32-byte secret. Store as CF_CI_BYPASS_SECRET in your CI / build env.
  2. Cloudflare WAF -> Create rule
  3. Field: HTTP Request Header. Header: X-Wiredepth-CI. Operator: equals. Value: the secret.
  4. Action: Skip "All managed rules" + "Super Bot Fight Mode".
  5. Set POSTVALE_CI_BYPASS in your CI; the CLI forwards it as the header when set.

More moving parts than Option A, no extra protection (the per-IP rate limit is already in place server-side), but it exists if your security review prefers explicit allowlisting.

If you're a customer hitting this

  • Try from a non-datacenter IP. Run the same postvale check ... from a laptop on residential broadband. If it works locally but not from your build runner, this is the issue.
  • File a support ticketwith the operator of the Wiredepth instance you're hitting. Ask them to apply Option A. Until they do, your CI calls will be flaky.
  • Don't spoof your User-Agent. Cloudflare evaluates UA + IP + request shape + TLS fingerprint together; a "browsery" UA from a datacenter IP scores worse than the honest CLI string, not better.

Operator-side CLI integration tests detect this challenge (via api.IsCloudflareChallenge(err)) and skip the affected subtests rather than failing CI. The skip is loud (Skip: shows up clearly in test output) so a regression in shape coverage still surfaces. Back to docs index.