Website Personalization

Common issues

The RightMessage personalization editor (Rover) lets you visually customize your website content. Sometimes security settings or firewall rules can prevent the editor from loading your site properly. Here's how to fix the most common issues.

Cloudflare protection is blocking the editor

If your site uses Cloudflare's bot protection, Turnstile challenges, or firewall rules, they may block the personalization editor from loading your site content.

General bot protection

Cloudflare automatically classifies Browser Rendering API requests as automated traffic, so they'll be blocked by default if you have bot protection enabled.

How to fix it:

  1. Log into your Cloudflare dashboard

  2. Select the domain where you're trying to use RightMessage personalization

  3. Go to SecurityWAFCustom rules

  4. Click Create rule

  5. Enter a rule name like "Allow Browser Rendering"

  6. Under When incoming requests match, set:

    • Field: Bot Detection ID

    • Operator: equals

    • Value: 128292352

  7. Under Choose action, select: Skip

  8. Click Deploy

  9. Try refreshing your personalization campaign preview in RightMessage

This WAF rule tells Cloudflare to allow all requests from the Cloudflare Browser Rendering API, which is what RightMessage uses to load your site in the editor.

Cloudflare Turnstile challenges

If you have Cloudflare Turnstile enabled on your website, the personalization editor may display the Turnstile challenge instead of your actual page content. This happens because:

  1. Rover proxies your website content to enable visual editing

  2. Turnstile treats the proxy request as potentially automated traffic

  3. The challenge renders in the editor, blocking the editing experience

The solution: RightMessage sends a custom header (X-RightMessage-Rover) with all Rover proxy requests. You can configure your site to conditionally skip Turnstile when this header is present.

Your RightMessage Rover identifier is RM-{your-team-pid}. You can find your team PID in your RightMessage dashboard URL or account settings.

Implementation approaches:

Create a Worker to intercept requests and conditionally remove Turnstile:

export default {
  async fetch(request, env) {
    // Check for RightMessage Rover header
    const roverHeader = request.headers.get('X-RightMessage-Rover');
    
    // Replace with your actual team identifier (e.g., 'RM-879351812')
    const allowedIdentifier = 'RM-YOUR_TEAM_PID';
    
    // Fetch the original response
    const response = await fetch(request);
    
    // If not a RightMessage request, return as-is
    if (roverHeader !== allowedIdentifier) {
      return response;
    }
    
    // For RightMessage requests, remove Turnstile elements
    class RemoveHandler {
      element(element) {
        element.remove();
      }
    }
    
    return new HTMLRewriter()
      .on('script[src*="turnstile"]', new RemoveHandler())
      .on('script[src*="challenges.cloudflare.com"]', new RemoveHandler())
      .on('.cf-turnstile', new RemoveHandler())
      .on('[data-turnstile-widget]', new RemoveHandler())
      .transform(response);
  }
};

You must also skip server-side Turnstile validation for these requests. In your form handler, check for the X-RightMessage-Rover header and bypass the Siteverify API call when it matches your team identifier.

Option 2: Next.js / Node.js middleware

// middleware.js or middleware.ts
import { NextResponse } from 'next/server';

export function middleware(request) {
  const roverHeader = request.headers.get('x-rightmessage-rover');
  const allowedIdentifier = 'RM-YOUR_TEAM_PID';
  
  if (roverHeader === allowedIdentifier) {
    // Set a flag that your page can check to skip Turnstile rendering
    const response = NextResponse.next();
    response.headers.set('x-skip-turnstile', 'true');
    return response;
  }
  
  return NextResponse.next();
}

export const config = {
  matcher: '/:path*',
};

In your page component, conditionally render Turnstile:

// In your page or layout
import { headers } from 'next/headers';

export default function Page() {
  const headersList = headers();
  const skipTurnstile = headersList.get('x-skip-turnstile') === 'true';
  
  return (
    <form>
      {/* Your form fields */}
      {!skipTurnstile && (
        <div
          className="cf-turnstile"
          data-sitekey="YOUR_SITE_KEY"
        />
      )}
      <button type="submit">Submit</button>
    </form>
  );
}

Option 3: PHP / Laravel middleware

<?php
namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;

class SkipTurnstileForRightMessage
{
    public function handle(Request $request, Closure $next)
    {
        $roverHeader = $request->header('X-RightMessage-Rover');
        $allowedIdentifier = 'RM-YOUR_TEAM_PID'; // Replace with your team PID
        
        if ($roverHeader === $allowedIdentifier) {
            // Set a flag to skip Turnstile in views
            config(['app.skip_turnstile' => true]);
        }
        
        return $next($request);
    }
}

In your Blade template:

<form method="POST" action="/submit">
    @csrf
    {{-- Your form fields --}}
    
    @unless(config('app.skip_turnstile'))
        <div class="cf-turnstile" data-sitekey="{{ config('services.turnstile.site_key') }}"></div>
    @endunless
    
    <button type="submit">Submit</button>
</form>

In your form controller, skip validation:

public function submit(Request $request)
{
    // Skip Turnstile validation for RightMessage
    if (!config('app.skip_turnstile')) {
        $response = Http::asForm()->post('https://challenges.cloudflare.com/turnstile/v0/siteverify', [
            'secret' => config('services.turnstile.secret_key'),
            'response' => $request->input('cf-turnstile-response'),
        ]);
        
        if (!$response->json('success')) {
            return back()->withErrors(['turnstile' => 'Verification failed']);
        }
    }
    
    // Process the form...
}

Option 4: Generic server-side approach

For any backend, the pattern is:

  1. Check the header in your request handling:

    • Header name: X-RightMessage-Rover

    • Expected value: RM-{your-team-pid}

  2. Skip Turnstile client-side – Don't render the Turnstile widget

  3. Skip Turnstile server-side – Don't call the Siteverify API

Keep your team PID private – while it's not a secret key, you shouldn't publish it publicly. Only whitelist your specific identifier, not wildcards like RM-*.

Testing your Turnstile bypass

  1. Open RightMessage and navigate to your personalization editor

  2. Load a page from your website that has Turnstile

  3. You should see your actual page content instead of the Turnstile challenge

  4. The editing experience should work normally

Troubleshooting Turnstile issues

Still seeing Turnstile in the editor?

  1. Verify the header is being sent by checking your server logs for the X-RightMessage-Rover header

  2. Ensure the identifier matches your team PID exactly

  3. Clear Rover cache using the refresh button in the editor

  4. Check that your middleware is running before Turnstile is rendered

Forms not submitting in the editor?

Remember: You must skip both client-side rendering AND server-side validation. If you only remove the widget but still validate the token, form submissions will fail.

IP-based blocking or firewall rules

Some servers, firewalls, or security plugins block requests from unknown IP addresses.

How to fix it:

Add our server IP to your allowlist:

  • RightMessage Server IP: 143.198.171.122

Where to add this depends on your setup:

  • Cloudflare: Security → WAF → Tools → IP Access Rules → Add 143.198.171.122 with "Allow" action

  • WordPress security plugins (Wordfence, Sucuri, etc.): Look for "Allowlist" or "Whitelist" settings and add the IP

  • Server firewall: Ask your hosting provider to allowlist the IP address

  • cPanel/WHM: Check IP Blocker or ConfigServer Security & Firewall (CSF) settings

Server denies all proxying requests

Some hosting providers or server configurations have strict security policies that prevent any kind of proxying or external access.

What you'll see:

  • The editor preview shows an error or blank page

  • All attempts to load your site in the editor fail

  • Your server logs show 403 Forbidden or similar errors

How to fix it:

  1. Check with your hosting provider about their security policies

  2. Verify that external services can access your site (not just human visitors)

  3. Temporarily disable any "bot protection" or "proxy blocking" features to test

  4. Make sure our User-Agent isn't being blocked: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

Timeout or performance issues

If your site is very slow to load or has heavy JavaScript, the proxy may time out before fully loading the page.

How to fix it:

  • Optimize your page load times (consider using a CDN)

  • Reduce the number of third-party scripts on the page you're trying to personalize

  • Try personalizing a simpler page first to verify the connection works

Was this helpful?