Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.marshell.dev/llms.txt

Use this file to discover all available pages before exploring further.

When your site is fronted by Vercel BotID, Cloudflare Bot Fight, Akamai, or DataDome, chifu often gets served a challenge page instead of your site. The scan ends with a low score and low confidence. Firewall bypass fixes this. chifu signs each request with a secret header; you add a one-time rule on your CDN that whitelists that header.
Only available on verified domains.

Enable

  1. Domains → expand a verified domain.
  2. Find Firewall bypass → click Enable firewall bypass.
chifu generates a secret (chf_b_…). The header name is x-chifu-bypass. From this point, the scanner sends both with every request to this domain and its subdomains.

Add the CDN rule

You write this rule once. The dashboard shows the exact recipe under each tab.
Project → Settings → Firewall → Custom Rules → Create Rule
  • IF: Request Header x-chifu-bypass Equals <your secret>
  • THEN: Bypass
The Bypass action skips Bot Protection, the OWASP rule set, and Attack Mode in one step.

Manage the secret

  • Copy — copies the value.
  • Rotate secret — issues a new one. Update the CDN rule too, otherwise the next scan will hit the challenge again.
  • Remove — disables bypass. chifu stops sending the header; you can delete the CDN rule.

Scope

The secret applies to the root domain and all its subdomains. If a subdomain sits behind a different CDN, expand that subdomain’s card and configure bypass independently there.

When you need it

Signs that bypass would help:
  • A finding Anti-bot challenge intercepted (tool: passive).
  • Risk score 1 with low confidence and an empty Tech stack.
  • Most tools in the scan returning 403 / 429.
Enable bypass, rerun the scan.