After much debugging, we’ve discovered that Render’s Cloudflare configuration will block any and all network requests when the body contains the string literal “boot.ini”. This isn’t just true of our services, it even affects Render’s own websites. I’m assuming there must be a list of blacklisted terms that includes boot.ini, but that’s the only one I’ve come across so far. This seems like a pretty big issue and I’m wondering if anyone else has run into it or has come up with any solution? We had the idea of Base64 encoding our requests but that seems like a very fragile solution that could still get blocked since we don’t know what else might be blacklisted.
Test it yourself (and feel free to replace dashboard.render.com with your own service’s URL):
curl --location 'https://dashboard.render.com/' \ --data 'boot.ini'
You can even surround the text in whatever other text you want and it still throws a 403 Cloudflare block error:
curl --location 'https://dashboard.render.com/' \ --data 'whateverprefixboot.iniwhateversuffix'
EDIT: I’m actually very surprised I was even able to post this haha. I guess they either encode posts before saving them or community.render.com isn’t behind the same cloudflare proxy.