ColdFusion Scheduled Tasks Failing with 403 Forbidden Error (Cloudflare Issue)

My company recently experienced an issue where all of the scheduled tasks in CFADMIN were failing. The first step I took to troubleshoot the issue was to check the scheduler.log log file. Each task had 2 lines in the log file. The first line indicated that the task had been triggered. The second line indicated an error of 403 Forbidden.

"Information","DefaultQuartzScheduler_Worker-3","11/08/24","07:00:00","","Task DEFAULT.NIGHTLY CLEANUP JOB triggered."
"Error","DefaultQuartzScheduler_Worker-3","11/08/24","07:00:00","","403 Forbidden"

Since no permissions had been changed on the server this was a perplexing error. The next step that I took was to execute one of the task URLs from a web browser on the sever. The task completed successfully. This led me to try to obtain more information about CFADMIN running the task so I enabled Save output to file under the Publish section of the Scheduled Task and specified a file to output the result.

CFADMIN Scheduled Task Log to File
CFADMIN Scheduled Task Log to File

Once this setting was in place I executed the task again from CFADMIN > Server Settings > Scheduled Tasks and checked the log file. The log file contained the text error code: 1010.

CFADMIN Scheduled Task Log to File result
CFADMIN Scheduled Task Log to File result

Researching error code: 1010 led me to several articles regarding Cloudfare blocking access to a site based on the browser signature.

This narrowed the issue to either an issue with Cloudfare or the task not running correctly when executed by ColdFusion. I decided to try execute the URL from a ColdFusion cfhttp call using the following basic script.

The task completed successfully when called from cfhttp. Below is a dump of the result:

Dump of cfhttp
Dump of cfhttp

The issue therefore seemed to be narrowed to the fact that Cloudfare was rejecting calls to URLs from the CFADMIN (apparently based on an issue with the browser signature). The browser signature is examined at Cloudfare by a Browser Integrity Check (BIC) as a component of a WAF.

A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.

Read more about Cloudfare’s WAF.

You can create a custom WAF rule to turn off the Browser Integrity Check (BIC). First, use the Go to navigation to search for WAF and choose Security | WAF | Custom Rules:

WAF Go to
WAF Go to

Next, click the Create rule button to begin. Our solution will use the following settings to disable the BIC on requests only from our server IP to scripts residing in a certain directory:

  • For the `Field` select `IP Source Address`, for `Operator` select `equals` and enter the IP address of your server as the `Value` (this will allow the rule to only apply to requests from your server).
  • Click the `And` button to add another row.
  • For the `Field` select `URI Path`, for `Operator` select `wildcard` and and enter the directory of your scheduled tasks as the `Value` (this will allow a single rule to apply to multiple task scripts in the directory). Notice the directory uses a wildcard at the end `/jobs/*`.
  • For the `Choose action` select `skip`.
  • Select `On` for `Log matching requests`.
  • Under `WAF components to skip` check `Browser Integrity Check` (you may need to click the `More components to skip` link to locate it).
  • Click the `Deploy` button to enable the rule immediately.
WAF Create rule
WAF Create rule

You can view the logging of the Firewall events. First, use the Go to navigation to search for Events and choose Security | Events:

Events Go to
Events Go to

As you can see the previously blocked requests via CFADMIN are now allowed at Cloudfare via a Skip action using Custom rules.

Firewall events
Firewall events

1 thought on “ColdFusion Scheduled Tasks Failing with 403 Forbidden Error (Cloudflare Issue)”

  1. Thanks for this, Chris. To be clear (and for readers interested to know more), it’s really about the useragent header being “cfschedule”, for urls requested as a cf scheduled task. Cloudflare doesn’t recognize that agent, thus blocking it. Curiously though, it DOES recognize the useragent for a request made via cfhttp, which is “coldfusion”, so that’s accepted.

    There are other implications and alternatives arising from this. I’d shared them in an extended reply on a cf forum thread last year: https://community.adobe.com/t5/coldfusion-discussions/scheduled-task-issue-error-code-1010/m-p/13621525#M194483.

    I never got around to creating a blog post, though I should have. 🙂 If I do, I’d want to point to yours here for the additional helpful perspective it offers.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.