Anti-bot filter blocking API calls from mobile app (non-JS clients)

I am developing a Flutter mobile app that consumes a PHP API located at /backend/api/ on my subdomain cggsoltec.unaux.com.

When I access the API from a web browser, it works correctly and returns JSON. However, when I make the same request from HTTP clients that don’t execute JavaScript (e.g., PowerShell, my Flutter app’s HTTP client), the server returns an HTML page containing a JavaScript challenge (AES decryption and cookie setting) instead of the expected JSON response.

This suggests there might be an anti-bot, anti-DDoS, or JavaScript validation filter enabled on the server.

My questions are:

1. Is there such a security filter active on cggsoltec.unaux.com?

2. If yes, is it possible to disable it or create an exception for paths like /backend/* or /backend/api/* so that API calls from non-browser clients receive the raw JSON response?

Thank you for your help.

Hi Gabriel, welcome to the community!

Yes, our servers do have an anti-bot/DDoS protection layer active, which is why non-JS clients like your Flutter app are receiving the JavaScript challenge instead of your JSON response.

Unfortunately, free hosting plans do not support whitelisting specific paths or disabling this filter for individual accounts, as it is managed at the server level.