CloudFlare Speed Brain feature can randomly break DotVVM applications
Published: 10/18/2024 2:46:31 PMRecently, we have run into an issue on several public-facing sites running on DotVVM 4.0+. When navigating between the pages on the site, we started seeing random errors like this:
Verify Sec-Fetch is one of the security features added in DotVVM 4.0, that shall prevent malicious scripts to interfere with DotVVM when it sends HTTP GET to load the page from the server. This is turned on by default – we did not expect it may cause issues, and for many months, it did not.
However, CloudFlare, a popular service that basically puts a proxy server in front of your site to provide a lot of interesting features, started rolling out their Speed Brain feature. The feature tries to prefetch pages before you click on them to speed up the navigation.
Because the feature is currently in beta, even when it is enabled in CloudFlare portal (which it is by default), it may not be active all the time. This makes the issue occur randomly and it may be tricky to reproduce.
The same issue will probably occur if you use any other prefetching library. DotVVM basically checks whether the page was loaded by the standard HTTP GET request, or whether it was provided by some JavaScript code.
Workaround 1: Disable CloudFlare Speed Brain (or other prefetching library)
The easiest way is to disable this feature in CloudFlare portal.
Workaround 2: Disable VerifySecFetchForPages in DotVVM configuration
If you plan to use any prefetching technology, you may want to disable this security feature as it does not make sense. You can do so only for particular pages, or for the entire application:
// disable feature for all pages
config.Security.VerifySecFetchForPages.ExcludeForAllRoutes();
// disable feature for a single page
config.Security.VerifySecFetchForPages.ExcludeForRoute("Default");
Please note that these workarounds may be temporary. The feature is still in beta and its behavior may be changed, and we are evaluating whether we can use Content Security Policy or Speculation Rules API to control whether the prefetching on the site is allowed.
I am the CEO of RIGANTI, a small software development company located in Prague, Czech Republic.
I am Microsoft Most Valuable Professional and the founder of DotVVM project.