From 714d7980b487c07365db107c7122fbda6f8a6745 Mon Sep 17 00:00:00 2001
From: Etheirystech <tofuking5@gmail.com>
Date: Thu, 9 Apr 2026 09:16:01 +0200
Subject: [PATCH] Update code comment to reflect actual root cause
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The cf_clearance cookie is not bound to TLS fingerprint — testing
confirmed it works from curl (different TLS stack). The real issue is
that CF selectively challenges by IP/UA, so FlareSolverr may not
receive a challenge and returns no cf_clearance cookie.
---
 .../IndexerProxies/FlareSolverr/FlareSolverr.cs            | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/NzbDrone.Core/IndexerProxies/FlareSolverr/FlareSolverr.cs b/src/NzbDrone.Core/IndexerProxies/FlareSolverr/FlareSolverr.cs
index 2a186f45e..2fcb1b7bb 100644
--- a/src/NzbDrone.Core/IndexerProxies/FlareSolverr/FlareSolverr.cs
+++ b/src/NzbDrone.Core/IndexerProxies/FlareSolverr/FlareSolverr.cs
@@ -72,10 +72,9 @@ public override HttpResponse PostResponse(HttpResponse response)
             InjectCookies(newRequest, result);
 
             // Use FlareSolverr's response body directly when available.
-            // A second HTTP request with the extracted cookies would get rejected
-            // because cf_clearance is validated against the TLS fingerprint of the
-            // client that solved the challenge (FlareSolverr's headless browser),
-            // which differs from .NET HttpClient's fingerprint.
+            // When CF selectively challenges by IP/UA, FlareSolverr may not
+            // receive a challenge and thus returns no cf_clearance cookie.
+            // A second request without that cookie gets 403'd.
             if (result.Solution.Response.IsNotNullOrWhiteSpace())
             {
                 var headers = new HttpHeader();