Accessing the e621 API when it gets blocked by Cloudflare’s DDoS protection

Here is a small tutorial on how to access the e621 API when it gets blocked by Cloudflare, as done in TWS. The code is in Java (for Android) but the basic principle should be the same for other languages.

Starting from the beginning, the API returns an HTTP status code of 403 (forbidden) or 503 (service unavailable) when Cloudflare blocks the API call. To access e621 and the API, a captcha must be completed. The simplest way is to use a WebView:

where USER_AGENT is the exact same as in all other requests to the e621 API. This is important so that Cloudflare knows that it is the same client connecting.

After completing the captcha Cloudflare redirects to e621, and the next step is to extract and store three cookies from the WebView. These are __cfduid, e621 and cf_clearance. Two of these tells Cloudflare that the captcha has been completed and the third is an identifier for e621. Together, these can be used to bypass Cloudflare and make the API working again.

CookieManager extracts the cookies:

Save the values of these cookies in e.g. SharedPreferences. The last step is to include the three cookies in all following API calls. An example using Jsoup:

Include the cookies and use the same user agent at all times and Cloudflare will not block the API calls to e621 :) (until you have to complete a captcha again)

6 thoughts on “Accessing the e621 API when it gets blocked by Cloudflare’s DDoS protection

  1. wpack says:

    Curious… You reckon it’d be possible to replicate this type of program using other means?
    I’d considered porting this application to Pocket PC, so to speak (because I’m old school) but that is a Visual Studio 2008 thing…not exactly Java.

  2. wondering_stranger says:

    Thank you very much for that, i needed that for another site.
    I also test it without __cfduid and it worked fine.I also can confirm that the User-Agent header was neccessary to be exactly the same.
    But what i was wondering: Is it also sensitive for the IP? Or would it stop to work as soon as my device get anotherone.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.