Illegal ‘domain’ attribute “”

Problem statement

We see a warning: illegal ‘domain’ attribute “”. What does this mean?


The __cf_bm cookie in the response has the domain set to .[]( despite the request being made via the custom domain. This happens when using self-managed certificates due to the origin edge server not being aware of the domain.


The warning can be safely ignored. The __cf_bm cookie originates from Cloudflare, not from Auth0, and is part of their bot management service.

When using self-managed certificates, you configure your tenant’s origin domain at the reverse proxy. The edge server of the origin domain resides at Cloudflare. Since the origin domain is under the []( subdomain and the custom domain is not configured with Cloudflare, the __cf_bm cookie is set with the []( domain.

In contrast, when you use an Auth0-managed domain, the __cf_bm cookie returned will be that of the custom domain since Cloudflare is aware of the domain in this case. However, this is still not the case if you make the request directly to the edge.