Render's Cloudflare configuration blocks the string literal "boot.ini" in request bodies for ALL Render URLs

After much debugging, we’ve discovered that Render’s Cloudflare configuration will block any and all network requests when the body contains the string literal “boot.ini”. This isn’t just true of our services, it even affects Render’s own websites. I’m assuming there must be a list of blacklisted terms that includes boot.ini, but that’s the only one I’ve come across so far. This seems like a pretty big issue and I’m wondering if anyone else has run into it or has come up with any solution? We had the idea of Base64 encoding our requests but that seems like a very fragile solution that could still get blocked since we don’t know what else might be blacklisted.

Test it yourself (and feel free to replace with your own service’s URL):

curl --location '' \
--data 'boot.ini'

You can even surround the text in whatever other text you want and it still throws a 403 Cloudflare block error:

curl --location '' \
--data 'whateverprefixboot.iniwhateversuffix'

EDIT: I’m actually very surprised I was even able to post this haha. I guess they either encode posts before saving them or isn’t behind the same cloudflare proxy.

1 Like

:tada: Render support has removed this filter from their Cloudflare configuration so this issue is now resolved.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.